Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check IsActionsToken for LFS authentication #23841

Merged
merged 6 commits into from
Apr 2, 2023
Merged

Check IsActionsToken for LFS authentication #23841

merged 6 commits into from
Apr 2, 2023

Conversation

Zettat123
Copy link
Contributor

Close #23824

Actions cannot fetch LFS objects from private repos because we don't check if the user is the ActionUser.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 31, 2023
yp05327
yp05327 reviewed Mar 31, 2023
View reviewed changes
services/lfs/server.go Outdated Show resolved Hide resolved
yp05327
yp05327 reviewed Mar 31, 2023
View reviewed changes
services/lfs/server.go Outdated Show resolved Hide resolved
@wolfogre
Copy link
Member

wolfogre commented Mar 31, 2023
edited
Loading

It follows the logic in

gitea/routers/web/repo/http.go

Line 198 in 1bc4ffc

if ctx.Data["IsActionsToken"] == true {
.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 31, 2023
lunny
lunny requested changes Apr 1, 2023
View reviewed changes
services/lfs/server.go Outdated Show resolved Hide resolved
@lunny lunny added the outdated/backport/v1.19 This PR should be backported to Gitea 1.19 label Apr 1, 2023
@lunny lunny added this to the 1.20.0 milestone Apr 1, 2023
@lunny lunny added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Apr 1, 2023
@codecov-commenter
Copy link

codecov-commenter commented Apr 1, 2023
edited
Loading

Codecov Report

Merging #23841 (e32f9c1) into main (f521e88) will decrease coverage by 0.14%.
The diff coverage is 28.82%.

@@            Coverage Diff             @@
##             main   #23841      +/-   ##
==========================================
- Coverage   47.14%   47.00%   -0.14%     
==========================================
  Files        1149     1158       +9     
  Lines      151446   153211    +1765     
==========================================
+ Hits        71397    72019     +622     
- Misses      71611    72693    +1082     
- Partials     8438     8499      +61
Impacted Files Coverage Δ
cmd/dump.go 0.66% <0.00%> (-0.01%) ⬇️
cmd/mailer.go 0.00% <0.00%> (ø)
cmd/manager.go 0.00% <0.00%> (ø)
cmd/manager_logging.go 0.00% <0.00%> (ø)
cmd/migrate_storage.go 5.76% <0.00%> (-0.12%) ⬇️
cmd/restore_repo.go 0.00% <0.00%> (ø)
cmd/web.go 0.00% <0.00%> (ø)
models/actions/run.go 1.63% <0.00%> (-0.10%) ⬇️
models/actions/runner.go 1.44% <ø> (ø)
models/packages/package.go 45.45% <0.00%> (-1.13%) ⬇️
... and 67 more

... and 75 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@Zettat123 Zettat123 requested a review from lunny April 1, 2023 13:04
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 1, 2023
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 1, 2023
@wolfogre wolfogre merged commit bcc4c62 into go-gitea:main Apr 2, 2023
@GiteaBot GiteaBot mentioned this pull request Apr 2, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Apr 2, 2023
@Zettat123
Check IsActionsToken for LFS authentication (go-gitea#23841)
40bcb00 
Close go-gitea#23824 

Actions cannot fetch LFS objects from private repos because we don't
check if the user is the `ActionUser`.
@GiteaBot GiteaBot added the backport/done All backports for this PR have been created label Apr 2, 2023
@wolfogre wolfogre removed the backport/done All backports for this PR have been created label Apr 2, 2023
@wolfogre wolfogre removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 2, 2023
@yardenshoham yardenshoham added the backport/done All backports for this PR have been created label Apr 2, 2023
zeripath pushed a commit that referenced this pull request Apr 2, 2023
@GiteaBot @Zettat123
Check IsActionsToken for LFS authentication (#23841) (#23875)
fe7caa0 
Backport #23841 by @Zettat123

Close #23824 

Actions cannot fetch LFS objects from private repos because we don't
check if the user is the `ActionUser`.

Co-authored-by: Zettat123 <zettat123@gmail.com>
@Zettat123 Zettat123 deleted the bugfix/issue-23824 branch April 3, 2023 01:23
zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 3, 2023
@zjjhot
Merge remote-tracking branch 'upstream/main'
a6741d8 
* upstream/main:
  [skip ci] Updated translations via Crowdin
  Update JS deps (go-gitea#23853)
  Added close/open button to details page of milestone (go-gitea#23877)
  Check `IsActionsToken` for LFS authentication (go-gitea#23841)
  Prefill input values in oauth settings as intended (go-gitea#23829)
  Display image size for multiarch container images (go-gitea#23821)
  Use clippie module to copy to clipboard (go-gitea#23801)
  Remove assertion debug code for show/hide refactoring (go-gitea#23576)
  [skip ci] Updated translations via Crowdin
  Remove jQuery ready usage (go-gitea#23858)
  Fix JS error when changing PR's target branch (go-gitea#23862)
  Improve action log display with control chars (go-gitea#23820)
  Fix review conversation reply (go-gitea#23846)
  Improve home page template, fix Sort dropdown menu flash (go-gitea#23856)
  Make first section on home page full width (go-gitea#23854)
  [skip ci] Updated translations via Crowdin
  Fix incorrect CORS failure detection logic (go-gitea#23844)
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@yp05327 yp05327 yp05327 left review comments

@wolfogre wolfogre wolfogre approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. outdated/backport/v1.19 This PR should be backported to Gitea 1.19 skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. type/bug
Projects
None yet
Milestone
1.20.0
Development

Successfully merging this pull request may close these issues.

Gitea Actions fetching from lfs, api error: Authentication required: Unauthorized
8 participants
@Zettat123 @wolfogre @codecov-commenter @lunny @yp05327 @techknowlogick @yardenshoham @GiteaBot