oppi.li / perf-test
loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add ac claim for old docker/build-push-action@v3 / current buildx gha cache (#29584)

Also resolves a warning for current releases

```
| ##[group]GitHub Actions runtime token ACs
| ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON
| ##[endgroup]
====>
| ##[group]GitHub Actions runtime token ACs
| ##[endgroup]
```
\* this is an error in v3

References in the docker org:
-
https://github.com/docker/build-push-action/blob/831ca179d3cf91cf0c90ca465a408fa61e2129a2/src/main.ts#L24
-
https://github.com/docker/actions-toolkit/blob/7d8b4dc6694df35a06fae786427672ce27a8c18d/src/github.ts#L61

No known official action of GitHub makes use of this claim.

Current releases throw an error when configure to use actions cache
```
| ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls
| ##[error]buildx failed with: ERROR: failed to solve: failed to configure gha cache exporter: invalid token without access controls
```

(cherry picked from commit 368743baf3d904f86b553a88718583906f571c87)

authored by

ChristopherHX and committed by
Earl Warren b058fb40 e7afba21

+34
+25
services/actions/auth.go
··· 9 9 "strings" 10 10 "time" 11 11 12 + "code.gitea.io/gitea/modules/json" 12 13 "code.gitea.io/gitea/modules/log" 13 14 "code.gitea.io/gitea/modules/setting" 14 15 ··· 21 22 TaskID int64 22 23 RunID int64 23 24 JobID int64 25 + Ac string `json:"ac"` 26 + } 27 + 28 + type actionsCacheScope struct { 29 + Scope string 30 + Permission actionsCachePermission 24 31 } 25 32 33 + type actionsCachePermission int 34 + 35 + const ( 36 + actionsCachePermissionRead = 1 << iota 37 + actionsCachePermissionWrite 38 + ) 39 + 26 40 func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) { 27 41 now := time.Now() 28 42 43 + ac, err := json.Marshal(&[]actionsCacheScope{ 44 + { 45 + Scope: "", 46 + Permission: actionsCachePermissionWrite, 47 + }, 48 + }) 49 + if err != nil { 50 + return "", err 51 + } 52 + 29 53 claims := actionsClaims{ 30 54 RegisteredClaims: jwt.RegisteredClaims{ 31 55 ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)), 32 56 NotBefore: jwt.NewNumericDate(now), 33 57 }, 34 58 Scp: fmt.Sprintf("Actions.Results:%d:%d", runID, jobID), 59 + Ac: string(ac), 35 60 TaskID: taskID, 36 61 RunID: runID, 37 62 JobID: jobID,
+9
services/actions/auth_test.go
··· 7 7 "net/http" 8 8 "testing" 9 9 10 + "code.gitea.io/gitea/modules/json" 10 11 "code.gitea.io/gitea/modules/setting" 11 12 12 13 "github.com/golang-jwt/jwt/v5" ··· 29 30 taskIDClaim, ok := claims["TaskID"] 30 31 assert.True(t, ok, "Has TaskID claim in jwt token") 31 32 assert.Equal(t, float64(taskID), taskIDClaim, "Supplied taskid must match stored one") 33 + acClaim, ok := claims["ac"] 34 + assert.True(t, ok, "Has ac claim in jwt token") 35 + ac, ok := acClaim.(string) 36 + assert.True(t, ok, "ac claim is a string for buildx gha cache") 37 + scopes := []actionsCacheScope{} 38 + err = json.Unmarshal([]byte(ac), &scopes) 39 + assert.NoError(t, err, "ac claim is a json list for buildx gha cache") 40 + assert.GreaterOrEqual(t, len(scopes), 1, "Expected at least one action cache scope for buildx gha cache") 32 41 } 33 42 34 43 func TestParseAuthorizationToken(t *testing.T) {