Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581)

Resolve #24789 ## ⚠️ BREAKING ⚠️ Before this, `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like `https://gitea.com` or `http://your-git-server,https://gitea.com`, and the default value was `https://gitea.com`. But now, `DEFAULT_ACTIONS_URL` supports only `github`(`https://github.com`) or `self`(the root url of current Gitea instance), and the default value is `github`. If it has configured with a URL, an error log will be displayed and it will fallback to `github`. Actually, what we really want to do is always make it `https://github.com`, however, this may not be acceptable for some instances of internal use, so there's extra support for `self`, but no more, even `https://gitea.com`. Please note that `uses: https://xxx/yyy/zzz` always works and it does exactly what it is supposed to do. Although it's breaking, I belive it should be backported to `v1.20` due to some security issues. Follow-up on the runner side: - https://gitea.com/gitea/act_runner/pulls/262 - https://gitea.com/gitea/act/pulls/70
2023-06-30 15:26:36 +08:00 · 2023-06-30 15:26:36 +08:00 · 67bd9d4f1e
commit 67bd9d4f1e
parent 254a82842a
5 changed files with 139 additions and 33 deletions
--- a/modules/setting/actions_test.go
+++ b/modules/setting/actions_test.go
@ -8,6 +8,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_getStorageInheritNameSectionTypeForActions(t *testing.T) {
@ -95,3 +96,86 @@ STORAGE_TYPE = minio
 	assert.EqualValues(t, "local", Actions.ArtifactStorage.Type)
 	assert.EqualValues(t, "actions_artifacts", filepath.Base(Actions.ArtifactStorage.Path))
 }
+
+func Test_getDefaultActionsURLForActions(t *testing.T) {
+	oldActions := Actions
+	oldAppURL := AppURL
+	defer func() {
+		Actions = oldActions
+		AppURL = oldAppURL
+	}()
+
+	AppURL = "http://test_get_default_actions_url_for_actions:3000/"
+
+	tests := []struct {
+		name    string
+		iniStr  string
+		wantErr assert.ErrorAssertionFunc
+		wantURL string
+	}{
+		{
+			name: "default",
+			iniStr: `
+[actions]
+`,
+			wantErr: assert.NoError,
+			wantURL: "https://github.com",
+		},
+		{
+			name: "github",
+			iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = github
+`,
+			wantErr: assert.NoError,
+			wantURL: "https://github.com",
+		},
+		{
+			name: "self",
+			iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = self
+`,
+			wantErr: assert.NoError,
+			wantURL: "http://test_get_default_actions_url_for_actions:3000",
+		},
+		{
+			name: "custom url",
+			iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = https://gitea.com
+`,
+			wantErr: assert.NoError,
+			wantURL: "https://github.com",
+		},
+		{
+			name: "custom urls",
+			iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = https://gitea.com,https://github.com
+`,
+			wantErr: assert.NoError,
+			wantURL: "https://github.com",
+		},
+		{
+			name: "invalid",
+			iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = gitea
+`,
+			wantErr: assert.Error,
+			wantURL: "https://github.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg, err := NewConfigProviderFromData(tt.iniStr)
+			require.NoError(t, err)
+			if !tt.wantErr(t, loadActionsFrom(cfg)) {
+				return
+			}
+			assert.EqualValues(t, tt.wantURL, Actions.DefaultActionsURL.URL())
+		})
+	}
+}