mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-14 13:11:09 +00:00
edf98a2dc3
Currently, Gitea will run actions automatically which are triggered by fork pull request. It's a security risk, people can create a PR and modify the workflow yamls to execute a malicious script. So we should require approval for first-time contributors, which is the default strategy of a public repo on GitHub, see [Approving workflow runs from public forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks). Current strategy: - don't need approval if it's not a fork PR; - always need approval if the user is restricted; - don't need approval if the user can write; - don't need approval if the user has been approved before; - otherwise, need approval. https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov GitHub has an option for that, you can see that at `/<owner>/<repo>/settings/actions`, and we can support that later. <img width="835" alt="image" src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png"> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
115 lines
2.9 KiB
Go
115 lines
2.9 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package actions
|
|
|
|
import (
|
|
"context"
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
"code.gitea.io/gitea/modules/container"
|
|
"code.gitea.io/gitea/modules/util"
|
|
|
|
"xorm.io/builder"
|
|
)
|
|
|
|
type RunList []*ActionRun
|
|
|
|
// GetUserIDs returns a slice of user's id
|
|
func (runs RunList) GetUserIDs() []int64 {
|
|
ids := make(container.Set[int64], len(runs))
|
|
for _, run := range runs {
|
|
ids.Add(run.TriggerUserID)
|
|
}
|
|
return ids.Values()
|
|
}
|
|
|
|
func (runs RunList) GetRepoIDs() []int64 {
|
|
ids := make(container.Set[int64], len(runs))
|
|
for _, run := range runs {
|
|
ids.Add(run.RepoID)
|
|
}
|
|
return ids.Values()
|
|
}
|
|
|
|
func (runs RunList) LoadTriggerUser(ctx context.Context) error {
|
|
userIDs := runs.GetUserIDs()
|
|
users := make(map[int64]*user_model.User, len(userIDs))
|
|
if err := db.GetEngine(ctx).In("id", userIDs).Find(&users); err != nil {
|
|
return err
|
|
}
|
|
for _, run := range runs {
|
|
if run.TriggerUserID == user_model.ActionsUserID {
|
|
run.TriggerUser = user_model.NewActionsUser()
|
|
} else {
|
|
run.TriggerUser = users[run.TriggerUserID]
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (runs RunList) LoadRepos() error {
|
|
repoIDs := runs.GetRepoIDs()
|
|
repos, err := repo_model.GetRepositoriesMapByIDs(repoIDs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, run := range runs {
|
|
run.Repo = repos[run.RepoID]
|
|
}
|
|
return nil
|
|
}
|
|
|
|
type FindRunOptions struct {
|
|
db.ListOptions
|
|
RepoID int64
|
|
OwnerID int64
|
|
IsClosed util.OptionalBool
|
|
WorkflowFileName string
|
|
TriggerUserID int64
|
|
Approved bool // not util.OptionalBool, it works only when it's true
|
|
}
|
|
|
|
func (opts FindRunOptions) toConds() builder.Cond {
|
|
cond := builder.NewCond()
|
|
if opts.RepoID > 0 {
|
|
cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
|
|
}
|
|
if opts.OwnerID > 0 {
|
|
cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
|
|
}
|
|
if opts.IsClosed.IsFalse() {
|
|
cond = cond.And(builder.Eq{"status": StatusWaiting}.Or(
|
|
builder.Eq{"status": StatusRunning}))
|
|
} else if opts.IsClosed.IsTrue() {
|
|
cond = cond.And(
|
|
builder.Neq{"status": StatusWaiting}.And(
|
|
builder.Neq{"status": StatusRunning}))
|
|
}
|
|
if opts.WorkflowFileName != "" {
|
|
cond = cond.And(builder.Eq{"workflow_id": opts.WorkflowFileName})
|
|
}
|
|
if opts.TriggerUserID > 0 {
|
|
cond = cond.And(builder.Eq{"trigger_user_id": opts.TriggerUserID})
|
|
}
|
|
if opts.Approved {
|
|
cond = cond.And(builder.Gt{"approved_by": 0})
|
|
}
|
|
return cond
|
|
}
|
|
|
|
func FindRuns(ctx context.Context, opts FindRunOptions) (RunList, int64, error) {
|
|
e := db.GetEngine(ctx).Where(opts.toConds())
|
|
if opts.PageSize > 0 && opts.Page >= 1 {
|
|
e.Limit(opts.PageSize, (opts.Page-1)*opts.PageSize)
|
|
}
|
|
var runs RunList
|
|
total, err := e.Desc("id").FindAndCount(&runs)
|
|
return runs, total, err
|
|
}
|
|
|
|
func CountRuns(ctx context.Context, opts FindRunOptions) (int64, error) {
|
|
return db.GetEngine(ctx).Where(opts.toConds()).Count(new(ActionRun))
|
|
}
|