Update code.forgejo.org/forgejo/runner Docker tag to v10
The container in the Oracle cloud infrastructure spun up with Docker Compose was updated by Watchtower with dependency update facilitated by Mend's Renovate Bot.
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| code.forgejo.org/forgejo/runner (source) | major | 9.1.1 -> 10.0.1 |
Release Notes
forgejo/runner (code.forgejo.org/forgejo/runner)
v10.0.1
Release Notes
- bug fixes
- MR: fix: pull_request_target events can share the cache of the repository
v10.0.0
Warning Upgrade to v10.0.1 instead. A regression was found on
pull_request_targetevents and is fixed in the v10.0.1 release.
Release Notes
-
MR: fix(security): prevent on: pull_request actions from mutating caches of other workflow events
forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets.Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets. This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again. These assumptions were identified as weak security practices with known workarounds.
It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets.
In order to eliminate this risk, workflows executing with the
pull_requestandpull_request_targetevents have their write operations to the cache isolated to future workflow executions from the same pull request. They can continue to read from the shared cache if applicable.If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version. The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online.
-
MR: fix(security): ensure unique names for container images created by actions
Without this fix, when a workflow ran a local docker action (e.g. the example in the end-to-end tests), it used an image tag that could collide with other workflows that happen to use the same name. The workaround for older runner versions is to set[container].force_rebuild: truein the runner configuration file.
- bug fixes
- other
- MR: Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4
- MR: chore: explain the difference between
job_levelandlevel - MR: chore: add reminder of how to run a local test
- MR: chore: unify cascade-setup-forgejo with cascade-forgejo
- MR: chore: remove
github.com/pkg/errors - MR: Update module github.com/stretchr/testify to v1.11.1
- MR: Update module google.golang.org/protobuf to v1.36.8
- MR: Update module go.etcd.io/bbolt to v1.4.3
- MR: test: remove internal timeout in TestRunnerCacheConfiguration
- MR: chore: skip tests that require Forgejo if it is not available
- MR: chore: rework the README
- MR: Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 [SECURITY]
- MR: chore: remove TestRunContext_GetGitHubContext
- MR: chore: do not force GOPROXY
- MR: Update module github.com/vektra/mockery/v2 to v2.53.5
- MR: chore: fix .PHONY lint targets
- MR: Update dependency forgejo/runner to v9.1.1
- MR: Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1
