v10.0.0 - forgejo/runner - Forgejo: Beyond coding. We forge.

forgejo/runner

Fork 83

75 releases 84 tags

RSS feed

v10.0.0 57efbac055
v10.0.0

Some checks failed

cascade / debug (push) Successful in 1s

Details

checks / validate mocks (push) Successful in 23s

Details

checks / build and test (push) Successful in 51s

Details

checks / runner exec tests (push) Successful in 30s

Details

example / docker-build-push-action-in-lxc (push) Successful in 1m31s

Details

Build release / release (push) Has been skipped

Details

publish / publish (push) Has been skipped

Details

/ example-docker-compose (push) Successful in 2m5s

Details

checks / runner integration tests (push) Successful in 5m28s

Details

/ example-lxc-systemd (push) Successful in 7m31s

Details

checks / integration tests (push) Successful in 15m47s

Details

cascade / forgejo (push) Failing after 26m19s

Details

Stable

release-team released this 2025-09-01 12:34:54 +00:00 | 278 commits to main since this release
Warning

Upgrade to v10.0.1 instead. A regression was found on pull_request_target events and is fixed in the v10.0.1 release.
Release Notes
- PR: fix(security): prevent on: pull_request actions from mutating caches of other workflow events
  forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets.
  
  Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets. This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again. These assumptions were identified as weak security practices with known workarounds.
  
  It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets.
  
  In order to eliminate this risk, workflows executing with the pull_request and pull_request_target events have their write operations to the cache isolated to future workflow executions from the same pull request. They can continue to read from the shared cache if applicable.
  
  If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version. The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online.
- PR: fix(security): ensure unique names for container images created by actions
  Without this fix, when a workflow ran a local docker action (e.g. the example in the end-to-end tests), it used an image tag that could collide with other workflows that happen to use the same name. The workaround for older runner versions is to set [container].force_rebuild: true in the runner configuration file.
- bug fixes
  - PR: fix(security): prevent on: pull_request actions from mutating caches of other workflow events
  - PR: fix(security): ensure unique names for container images created by actions
- other
  - PR: Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4
  - PR: chore: explain the difference between job_level and level
  - PR: chore: add reminder of how to run a local test
  - PR: chore: unify cascade-setup-forgejo with cascade-forgejo
  - PR: chore: remove github.com/pkg/errors
  - PR: Update module github.com/stretchr/testify to v1.11.1
  - PR: Update module google.golang.org/protobuf to v1.36.8
  - PR: Update module go.etcd.io/bbolt to v1.4.3
  - PR: test: remove internal timeout in TestRunnerCacheConfiguration
  - PR: chore: skip tests that require Forgejo if it is not available
  - PR: chore: rework the README
  - PR: Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 [SECURITY]
  - PR: chore: remove TestRunContext_GetGitHubContext
  - PR: chore: do not force GOPROXY
  - PR: Update module github.com/vektra/mockery/v2 to v2.53.5
  - PR: chore: fix .PHONY lint targets
  - PR: Update dependency forgejo/runner to v9.1.1
  - PR: Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1
Downloads
- Source code (ZIP)
  1 download
- Source code (TAR.GZ)
  22 downloads
- forgejo-runner-10.0.0-linux-amd64
  17 downloads · 2025-09-01 12:34:03 +00:00 · 20 MiB
- forgejo-runner-10.0.0-linux-amd64.asc
  7 downloads · 2025-09-01 12:34:03 +00:00 · 228 B
- forgejo-runner-10.0.0-linux-amd64.sha256
  3 downloads · 2025-09-01 12:34:03 +00:00 · 100 B
- forgejo-runner-10.0.0-linux-amd64.xz
  8 downloads · 2025-09-01 12:34:03 +00:00 · 5.7 MiB
- forgejo-runner-10.0.0-linux-amd64.xz.asc
  2 downloads · 2025-09-01 12:34:03 +00:00 · 228 B
- forgejo-runner-10.0.0-linux-amd64.xz.sha256
  2 downloads · 2025-09-01 12:34:03 +00:00 · 103 B
- forgejo-runner-10.0.0-linux-arm64
  33 downloads · 2025-09-01 12:34:04 +00:00 · 19 MiB
- forgejo-runner-10.0.0-linux-arm64.asc
  30 downloads · 2025-09-01 12:34:04 +00:00 · 228 B
- forgejo-runner-10.0.0-linux-arm64.sha256
  1 download · 2025-09-01 12:34:04 +00:00 · 100 B
- forgejo-runner-10.0.0-linux-arm64.xz
  5 downloads · 2025-09-01 12:34:04 +00:00 · 4.9 MiB
- forgejo-runner-10.0.0-linux-arm64.xz.asc
  1 download · 2025-09-01 12:34:05 +00:00 · 228 B
- forgejo-runner-10.0.0-linux-arm64.xz.sha256
  1 download · 2025-09-01 12:34:05 +00:00 · 103 B