Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package forgejo-runner for openSUSE:Factory checked in at 2026-04-28 11:57:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/forgejo-runner (Old) and /work/SRC/openSUSE:Factory/.forgejo-runner.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "forgejo-runner" Tue Apr 28 11:57:08 2026 rev:45 rq:1349474 version:12.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/forgejo-runner/forgejo-runner.changes 2026-04-10 18:02:04.036270795 +0200 +++ /work/SRC/openSUSE:Factory/.forgejo-runner.new.11940/forgejo-runner.changes 2026-04-28 12:00:53.164772495 +0200 @@ -1,0 +2,7 @@ +Mon Apr 27 00:42:43 UTC 2026 - Richard Rahl <[email protected]> + +- Update to version 12.9.0: + + feat: trim whitespace around token, validate it + + fix: interpolation of workflow_call inputs + +------------------------------------------------------------------- Old: ---- forgejo-runner-12.8.2.obscpio New: ---- forgejo-runner-12.9.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ forgejo-runner.spec ++++++ --- /var/tmp/diff_new_pack.oa6Z6A/_old 2026-04-28 12:00:53.908803307 +0200 +++ /var/tmp/diff_new_pack.oa6Z6A/_new 2026-04-28 12:00:53.908803307 +0200 @@ -18,7 +18,7 @@ %define services %{name}.service Name: forgejo-runner -Version: 12.8.2 +Version: 12.9.0 Release: 0 Summary: Daemon that connects to a Forgejo instance and runs CI jobs License: GPL-3.0-or-later ++++++ _service ++++++ --- /var/tmp/diff_new_pack.oa6Z6A/_old 2026-04-28 12:00:53.952805129 +0200 +++ /var/tmp/diff_new_pack.oa6Z6A/_new 2026-04-28 12:00:53.956805294 +0200 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://code.forgejo.org/forgejo/runner</param> <param name="scm">git</param> - <param name="revision">refs/tags/v12.8.2</param> + <param name="revision">refs/tags/v12.9.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ forgejo-runner-12.8.2.obscpio -> forgejo-runner-12.9.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/act/runner/expression.go new/forgejo-runner-12.9.0/act/runner/expression.go --- old/forgejo-runner-12.8.2/act/runner/expression.go 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/act/runner/expression.go 2026-04-20 22:33:05.000000000 +0200 @@ -441,6 +441,14 @@ } } + for k, v := range env { + if after, ok := strings.CutPrefix(k, "INPUT_"); ok { + inputs[strings.ToLower(after)] = v + } + } + + setupWorkflowInputs(ctx, &inputs, rc) + if ghc.EventName == "workflow_call" { config := rc.Run.Workflow.WorkflowCallConfig() if config != nil && config.Inputs != nil { @@ -458,14 +466,6 @@ } } - for k, v := range env { - if after, ok := strings.CutPrefix(k, "INPUT_"); ok { - inputs[strings.ToLower(after)] = v - } - } - - setupWorkflowInputs(ctx, &inputs, rc) - return inputs } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/act/runner/runner_test.go new/forgejo-runner-12.9.0/act/runner/runner_test.go --- old/forgejo-runner-12.8.2/act/runner/runner_test.go 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/act/runner/runner_test.go 2026-04-20 22:33:05.000000000 +0200 @@ -326,6 +326,7 @@ {workdir, "GITHUB_ENV-use-in-env-ctx", "push", "", platforms, secrets}, {workdir, "ensure-post-steps", "push", "Job 'second-post-step-should-fail' failed", platforms, secrets}, {workdir, "workflow_call_inputs", "workflow_call", "", platforms, secrets}, + {workdir, "workflow-call-inputs-precedence", "workflow_call", "", platforms, secrets}, {workdir, "workflow_dispatch", "workflow_dispatch", "", platforms, secrets}, {workdir, "workflow_dispatch_no_inputs_mapping", "workflow_dispatch", "", platforms, secrets}, {workdir, "workflow_dispatch-scalar", "workflow_dispatch", "", platforms, secrets}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/act/runner/testdata/workflow-call-inputs-precedence/event.json new/forgejo-runner-12.9.0/act/runner/testdata/workflow-call-inputs-precedence/event.json --- old/forgejo-runner-12.8.2/act/runner/testdata/workflow-call-inputs-precedence/event.json 1970-01-01 01:00:00.000000000 +0100 +++ new/forgejo-runner-12.9.0/act/runner/testdata/workflow-call-inputs-precedence/event.json 2026-04-20 22:33:05.000000000 +0200 @@ -0,0 +1 @@ +{} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/act/runner/testdata/workflow-call-inputs-precedence/workflow_call.yml new/forgejo-runner-12.9.0/act/runner/testdata/workflow-call-inputs-precedence/workflow_call.yml --- old/forgejo-runner-12.8.2/act/runner/testdata/workflow-call-inputs-precedence/workflow_call.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/forgejo-runner-12.9.0/act/runner/testdata/workflow-call-inputs-precedence/workflow_call.yml 2026-04-20 22:33:05.000000000 +0200 @@ -0,0 +1,32 @@ +name: workflow_call + +on: + workflow_call: + inputs: + # The purpose of this variable is to verify that *default* values are injected correctly. + # If you change the variable's name, you also have to change the name of the env variable. + name: + name: name of the person to greet + default: Mona the Octocat + +jobs: + test: + runs-on: ubuntu-latest + env: + # The name of the env variable must be `INPUT_` followed by the capitalized name of the input + # variable. That's because the expression parser uses variables named like that for storing + # input variables. That can cause precedence problems if they are not handled correctly. + INPUT_NAME: ${{ inputs.name }} + steps: + - name: Validate inputs + run: | + echo "inputs.name=${{ inputs.name }}" + [[ "${{ inputs.name }}" = "Mona the Octocat" ]] || exit 1 + - name: Validate env + run: | + echo "env.INPUT_NAME=${{ env.INPUT_NAME }}" + [[ "${{ env.INPUT_NAME }}" = "Mona the Octocat" ]] || exit 1 + - name: Validate environment variables + run: | + echo "INPUT_NAME=$INPUT_NAME" + [[ "$INPUT_NAME" = "Mona the Octocat" ]] || exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/examples/docker-compose/compose-forgejo-and-runner.yml new/forgejo-runner-12.9.0/examples/docker-compose/compose-forgejo-and-runner.yml --- old/forgejo-runner-12.8.2/examples/docker-compose/compose-forgejo-and-runner.yml 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/examples/docker-compose/compose-forgejo-and-runner.yml 2026-04-20 22:33:05.000000000 +0200 @@ -57,7 +57,7 @@ - 8080:3000 runner-register: - image: data.forgejo.org/forgejo/runner:12.7.2 + image: data.forgejo.org/forgejo/runner:12.8.2 links: - docker-in-docker - forgejo @@ -81,7 +81,7 @@ ' runner-daemon: - image: data.forgejo.org/forgejo/runner:12.7.2 + image: data.forgejo.org/forgejo/runner:12.8.2 links: - docker-in-docker - forgejo diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/examples/lxc-systemd/forgejo-runner-service.sh new/forgejo-runner-12.9.0/examples/lxc-systemd/forgejo-runner-service.sh --- old/forgejo-runner-12.8.2/examples/lxc-systemd/forgejo-runner-service.sh 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/examples/lxc-systemd/forgejo-runner-service.sh 2026-04-20 22:33:05.000000000 +0200 @@ -22,7 +22,7 @@ : ${INPUTS_LIFETIME:=7d} DEFAULT_LXC_HELPERS_VERSION=1.1.3 # renovate: datasource=forgejo-tags depName=forgejo/lxc-helpers : ${INPUTS_LXC_HELPERS_VERSION:=$DEFAULT_LXC_HELPERS_VERSION} -DEFAULT_RUNNER_VERSION=12.7.2 # renovate: datasource=forgejo-releases depName=forgejo/runner +DEFAULT_RUNNER_VERSION=12.8.2 # renovate: datasource=forgejo-releases depName=forgejo/runner : ${INPUTS_RUNNER_VERSION:=$DEFAULT_RUNNER_VERSION} : ${KILL_AFTER:=21600} # 6h == 21600 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/go.mod new/forgejo-runner-12.9.0/go.mod --- old/forgejo-runner-12.8.2/go.mod 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/go.mod 2026-04-20 22:33:05.000000000 +0200 @@ -2,7 +2,7 @@ go 1.25.0 -toolchain go1.25.8 +toolchain go1.25.9 require ( code.forgejo.org/forgejo/actions-proto v0.7.0 @@ -19,7 +19,7 @@ github.com/docker/docker v28.5.2+incompatible github.com/docker/go-connections v0.6.0 github.com/go-git/go-billy/v5 v5.8.0 - github.com/go-git/go-git/v5 v5.17.1 + github.com/go-git/go-git/v5 v5.18.0 github.com/gobwas/glob v0.2.3 github.com/google/go-cmp v0.7.0 github.com/google/uuid v1.6.0 @@ -99,16 +99,15 @@ github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect - go.opentelemetry.io/otel v1.40.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 // indirect - go.opentelemetry.io/otel/metric v1.40.0 // indirect - go.opentelemetry.io/otel/sdk v1.40.0 // indirect - go.opentelemetry.io/otel/trace v1.40.0 // indirect + go.opentelemetry.io/otel v1.43.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect + go.opentelemetry.io/otel/metric v1.43.0 // indirect + go.opentelemetry.io/otel/sdk v1.43.0 // indirect + go.opentelemetry.io/otel/trace v1.43.0 // indirect go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect - golang.org/x/crypto v0.45.0 // indirect - golang.org/x/net v0.47.0 // indirect + golang.org/x/crypto v0.49.0 // indirect + golang.org/x/net v0.52.0 // indirect golang.org/x/sync v0.19.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/go.sum new/forgejo-runner-12.9.0/go.sum --- old/forgejo-runner-12.8.2/go.sum 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/go.sum 2026-04-20 22:33:05.000000000 +0200 @@ -25,8 +25,8 @@ github.com/avast/retry-go/v4 v4.7.0/go.mod h1:ZMPDa3sY2bKgpLtap9JRUgk2yTAba7cgiFhqxY2Sg6Q= github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE= github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= -github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= -github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8= @@ -78,8 +78,8 @@ github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk= -github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo= +github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM= +github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -97,8 +97,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -216,32 +216,32 @@ go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo= -go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms= -go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= -go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g= -go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc= -go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8= -go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE= -go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw= -go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA= -go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= -go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= +go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak= +go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= +go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY= +go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg= +go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg= +go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= +go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= +go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= +go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= go.yaml.in/yaml/v4 v4.0.0-rc.3 h1:3h1fjsh1CTAPjW7q/EMe+C8shx5d8ctzZTrLcs/j8Go= go.yaml.in/yaml/v4 v4.0.0-rc.3/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= -golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= +golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= +golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= -golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -260,18 +260,17 @@ golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= -golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ= -google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f h1:2yNACc1O40tTnrsbk9Cv6oxiW8pxI/pXj0wRtdlYmgY= -google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f/go.mod h1:Uy9bTZJqmfrw2rIBxgGLnamc78euZULUBrLZ9XTITKI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= +google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/internal/app/cmd/args.go new/forgejo-runner-12.9.0/internal/app/cmd/args.go --- old/forgejo-runner-12.8.2/internal/app/cmd/args.go 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/internal/app/cmd/args.go 2026-04-20 22:33:05.000000000 +0200 @@ -7,6 +7,7 @@ "errors" "fmt" "net/url" + "strings" "time" "code.forgejo.org/forgejo/runner/v12/internal/pkg/config" @@ -74,6 +75,10 @@ return fmt.Errorf("invalid `token-url`: %w", err) } } + resolvedToken = strings.TrimSpace(resolvedToken) + if !config.IsValidToken(resolvedToken) { + return errors.New("token contains invalid characters") + } if cfg.Server.Connections == nil { cfg.Server.Connections = map[string]*config.Connection{} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/internal/app/cmd/args_test.go new/forgejo-runner-12.9.0/internal/app/cmd/args_test.go --- old/forgejo-runner-12.8.2/internal/app/cmd/args_test.go 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/internal/app/cmd/args_test.go 2026-04-20 22:33:05.000000000 +0200 @@ -211,6 +211,46 @@ assert.Equal(t, "8tBZOQlSaH", cfg.Server.Connections["default"].Token) }) + t.Run("trims token from token_url", func(t *testing.T) { + tokenURL, err := prepareTokenFile(t, "\n8tBZOQlSaH\r\n") + require.NoError(t, err) + + serverURL, err := url.Parse("https://example.com/";) + require.NoError(t, err) + + conn := connection{ + url: serverURL.String(), + uuid: "009e3230-0881-4690-8e0e-43ce2c01d2f9", + tokenURL: tokenURL.String(), + labels: []string{"label-1"}, + } + + cfg := config.Config{} + err = connectionFromArguments(&conn)(&cfg) + require.NoError(t, err) + + assert.Equal(t, "8tBZOQlSaH", cfg.Server.Connections["default"].Token) + }) + + t.Run("rejects token from token_url containing invalid characters", func(t *testing.T) { + tokenURL, err := prepareTokenFile(t, "8tBZ\nOQ\rlSaH") + require.NoError(t, err) + + serverURL, err := url.Parse("https://example.com/";) + require.NoError(t, err) + + conn := connection{ + url: serverURL.String(), + uuid: "009e3230-0881-4690-8e0e-43ce2c01d2f9", + tokenURL: tokenURL.String(), + labels: []string{"label-1"}, + } + + cfg := config.Config{} + err = connectionFromArguments(&conn)(&cfg) + require.ErrorContains(t, err, "token contains invalid characters") + }) + t.Run("rejects malformed label", func(t *testing.T) { serverURL, err := url.Parse("https://example.com/";) require.NoError(t, err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/internal/pkg/config/config.go new/forgejo-runner-12.9.0/internal/pkg/config/config.go --- old/forgejo-runner-12.8.2/internal/pkg/config/config.go 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/internal/pkg/config/config.go 2026-04-20 22:33:05.000000000 +0200 @@ -10,6 +10,7 @@ "net/url" "os" "path/filepath" + "regexp" "strings" "time" @@ -471,11 +472,15 @@ var resolvedToken string if s.TokenURL != "" { if resolvedToken, err = ResolveSecretURL(s.TokenURL); err != nil { - return fmt.Errorf("invalid `secret_url`: %w", err) + return fmt.Errorf("invalid `token_url`: %w", err) } } else { resolvedToken = s.Token } + resolvedToken = strings.TrimSpace(resolvedToken) + if !IsValidToken(resolvedToken) { + return errors.New("token contains invalid characters") + } if config.Server.Connections == nil { config.Server.Connections = map[string]*Connection{} @@ -636,3 +641,10 @@ return string(value), nil } + +var validTokenPattern = regexp.MustCompile("(?i)^[a-z0-9]*$") + +// IsValidToken tests whether the given string does not contain characters that are not allowed in a runner token. +func IsValidToken(str string) bool { + return validTokenPattern.MatchString(str) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/forgejo-runner-12.8.2/internal/pkg/config/config_test.go new/forgejo-runner-12.9.0/internal/pkg/config/config_test.go --- old/forgejo-runner-12.8.2/internal/pkg/config/config_test.go 2026-04-07 17:51:41.000000000 +0200 +++ new/forgejo-runner-12.9.0/internal/pkg/config/config_test.go 2026-04-20 22:33:05.000000000 +0200 @@ -1296,6 +1296,96 @@ assert.Equal(t, "8tBZOQlSaH", config.Server.Connections["example"].Token) }) + t.Run("rejects token from token containing invalid characters", func(t *testing.T) { + serverURL, err := url.Parse("https://example.com/";) + require.NoError(t, err) + + serialized := serializedConnectionSettings{ + URL: serverURL.String(), + UUID: "009e3230-0881-4690-8e0e-43ce2c01d2f9", + Token: "VV\nb1\n\teuy", + TokenURL: "", + Labels: []string{"label-1"}, + } + + config := Config{} + err = serialized.applyTo(&config, "example") + require.ErrorContains(t, err, "token contains invalid characters") + }) + + t.Run("rejects token from token_url containing invalid characters", func(t *testing.T) { + tempDir := t.TempDir() + secretPath := filepath.Join(tempDir, "secret.txt") + + err := os.WriteFile(secretPath, []byte("VV\nb1\r\teuy"), 0o644) + require.NoError(t, err) + + serverURL, err := url.Parse("https://example.com/";) + require.NoError(t, err) + + tokenURL, err := fileuri.FromFilePath(secretPath) + require.NoError(t, err) + + serialized := serializedConnectionSettings{ + URL: serverURL.String(), + UUID: "009e3230-0881-4690-8e0e-43ce2c01d2f9", + Token: "", + TokenURL: tokenURL.String(), + Labels: []string{"label-1"}, + } + + config := Config{} + err = serialized.applyTo(&config, "example") + require.ErrorContains(t, err, "token contains invalid characters") + }) + + t.Run("trims whitespace from token", func(t *testing.T) { + serverURL, err := url.Parse("https://example.com/";) + require.NoError(t, err) + + serialized := serializedConnectionSettings{ + URL: serverURL.String(), + UUID: "009e3230-0881-4690-8e0e-43ce2c01d2f9", + Token: "\nVVb1teuy\r\n", + TokenURL: "", + Labels: []string{"label-1"}, + } + + config := Config{} + err = serialized.applyTo(&config, "example") + require.NoError(t, err) + + assert.Equal(t, "VVb1teuy", config.Server.Connections["example"].Token) + }) + + t.Run("trims whitespace from token from token_url", func(t *testing.T) { + tempDir := t.TempDir() + secretPath := filepath.Join(tempDir, "secret.txt") + + err := os.WriteFile(secretPath, []byte("\nVVb1teuy\r\n"), 0o644) + require.NoError(t, err) + + serverURL, err := url.Parse("https://example.com/";) + require.NoError(t, err) + + tokenURL, err := fileuri.FromFilePath(secretPath) + require.NoError(t, err) + + serialized := serializedConnectionSettings{ + URL: serverURL.String(), + UUID: "009e3230-0881-4690-8e0e-43ce2c01d2f9", + Token: "", + TokenURL: tokenURL.String(), + Labels: []string{"label-1"}, + } + + config := Config{} + err = serialized.applyTo(&config, "example") + require.NoError(t, err) + + assert.Equal(t, "VVb1teuy", config.Server.Connections["example"].Token) + }) + t.Run("rejects malformed label", func(t *testing.T) { serverURL, err := url.Parse("https://example.com/";) require.NoError(t, err) ++++++ forgejo-runner.obsinfo ++++++ --- /var/tmp/diff_new_pack.oa6Z6A/_old 2026-04-28 12:00:55.756879837 +0200 +++ /var/tmp/diff_new_pack.oa6Z6A/_new 2026-04-28 12:00:55.760880003 +0200 @@ -1,5 +1,5 @@ name: forgejo-runner -version: 12.8.2 -mtime: 1775577101 -commit: 483dc418ecb029b3c0f05faefebac547847aa950 +version: 12.9.0 +mtime: 1776717185 +commit: 66625efb26ca57e9e5d9d37111a017d243b5a63c ++++++ vendor.tar.gz ++++++ ++++ 35602 lines of diff (skipped)
