Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

OIDC provider #33945

Open
wants to merge 31 commits into
base: main
Choose a base branch
from
Open

OIDC provider #33945

wants to merge 31 commits into from

Conversation

scubbo
Copy link

@scubbo scubbo commented Mar 20, 2025

This adds support for a Github Actions compatible OIDC provider.

For more info, see:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

It depends on a few changes in act and act_runner:
https://gitea.com/gitea/act_runner/pulls/272
https://gitea.com/gitea/act/pulls/73

The above is the summary of the original PR that this sprang from. It looks like that one (which has been open for nearly 2 years) has lost steam after the original contributor got frustrated with delays, so I'm hoping that opening a fresh PR will revitalize the effort.

To be extremely clear:

  • All the content in this PR at the time it was opened was written by someone else, not me
  • I have a reasonable understanding of both OIDC (as a user rather than an implementer/maintainer) and of GoLang (using both in my day job), but am by no means an expert in either. I'm taking this on because I'm very keen to see it move along (so that I can authenticate to Vault on a per-repo basis), not because I'm necessarily the right person for the job. I'll happily take guidance and learn as I go, but you should probably assume that I'll have to do some research before understanding any comments.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 20, 2025
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/migrations modifies/dependencies labels Mar 20, 2025
@scubbo scubbo mentioned this pull request Mar 20, 2025
Draft
scubbo
scubbo commented Mar 20, 2025
View reviewed changes
routers/api/actions/runner/utils.go Outdated
@@ -0,0 +1,221 @@
// Copyright 2022 The Gitea Authors. All rights reserved.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this file is actually needed - in the original PR there was just a small change to its logic, but it looks like the file has been entirely deleted in the main branch of the repo. I think it can be deleted entirely, but I'll keep it around until either a) I can get more confidence in that position, or b) someone more knowledgeable about the codebase can confirm that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has been moved in a recent PR. Maybe you could try to find when it is deleted. https://stackoverflow.com/questions/6839398/find-when-a-file-was-deleted-in-git

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, thanks! Looks like it was moved to services/actions/task.go.

@scubbo
Copy link
Author

scubbo commented Mar 20, 2025

Hmm - I'm getting error:

no required module provides package code.gitea.io/gitea/modules/context; to add it:
	go get code.gitea.io/gitea/modules/context

but when I run that command, I get

go: code.gitea.io/gitea/modules/context: no matching versions for query "upgrade"

I'm guessing that some names changed between the time this code was originally written and now. I'll keep poking around!

@wxiaoguang
Copy link
Contributor

It is code.gitea.io/gitea/services/context now. services

@scubbo
More lintfixes
f66c4b9 
This will not build until [this
PR](https://gitea.com/gitea/act/pulls/73) (which adds
`SingleWorkflow.RawPermissions`) is merged.
@scubbo
Copy link
Author

scubbo commented Mar 20, 2025
edited
Loading

Note that building will still fail until this PR is merged, since it adds a RawPermissions struct-field that this depends on. Operating on the assumption that OP won't mind if I take that one over (and resolve conflicts), I'll do so now - since that one was already approved, hopefully it shouldn't take long to get the second version of it approved and merged!

EDIT: re-opened here.

@scubbo
Copy link
Author

scubbo commented Mar 20, 2025

I re-opened the PRs on act and act_runner which are dependencies of this one. Hopefully 🤞🏻 those should be smooth to merge (since it looks like the originals were already approved), at which point I can iron out the rest of the build/lint failures. Thanks for the assistance/attention so far! 🙏🏻

@scubbo scubbo requested a review from lunny March 20, 2025 20:45
@lunny
Copy link
Member

lunny commented Mar 26, 2025

This PR on act has been merged (though it looks like the test job failed to execute?), so I'll update this PR which will hopefully resolve some of the lint failures due to reliance on previously-absent code.

(The PR on act_runner is still outstanding, though, so probably not all failures will be resolved)

I restarted the CI.

@scubbo scubbo requested a review from wxiaoguang March 28, 2025 18:37
@scubbo
Copy link
Author

scubbo commented Mar 28, 2025
edited
Loading

Hmm, I'm a little stumped by this last build failure - the original uses oauth2.SignToken, but no such function currently exists. I'll try to hunt down the commit where it was renamed/replaced.

EDIT: Ah, found it - in this commit, looks like we now need to use oauth2_provider.

@wxiaoguang wxiaoguang removed their request for review March 28, 2025 20:55
lunny
lunny reviewed Mar 28, 2025
View reviewed changes
@scubbo
Copy link
Author

scubbo commented Apr 5, 2025
edited
Loading

I suspect that these failing db-tests are going to be beyond my immediate capability to fix. In particular, I get different behaviour locally when running make test-sqlite - in the GitHub workflow runs, the failure is here; but in local reproduction, this testcase cannot be retrieved here.

I'll keep poking around to see if I can reproduce/understand/fix this failure; but this is probably the point where this PR would benefit from someone who knows the codebase better stepping in.

lunny
lunny reviewed Apr 6, 2025
View reviewed changes
lunny
lunny reviewed Apr 6, 2025
View reviewed changes
lunny
lunny reviewed Apr 6, 2025
View reviewed changes
lunny
lunny reviewed Apr 7, 2025
View reviewed changes
lunny
lunny reviewed Apr 7, 2025
View reviewed changes
@lunny lunny added this to the 1.25.0 milestone Apr 11, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@lunny lunny lunny left review comments

@wxiaoguang wxiaoguang wxiaoguang left review comments

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/api This PR adds API routes or modifies them modifies/dependencies modifies/go Pull requests that update Go code modifies/migrations
Projects
None yet
Milestone
1.25.0
Development

Successfully merging this pull request may close these issues.
6 participants
@scubbo @wxiaoguang @lunny @techknowlogick @GiteaBot @sorenisanerd