mirror of https://code.forgejo.org/forgejo/runner
Merge pull request 'secure the docker-compose example and explain the difference with the token' (#77) from earl-warren/runner:wip-docs into main
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/77pull/85/head
commit
8e93b0e8e8
|
@ -28,6 +28,8 @@ jobs:
|
|||
run: |
|
||||
set -x
|
||||
cd examples/docker-compose
|
||||
secret=$(openssl rand -hex 20)
|
||||
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
|
||||
cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml"
|
||||
#
|
||||
# Launch
|
||||
|
|
|
@ -8,6 +8,20 @@ used by the `Forgejo runner` to execute the workflows.
|
|||
|
||||
### Running
|
||||
|
||||
Create a shared secret with:
|
||||
|
||||
```sh
|
||||
openssl rand -hex 20
|
||||
```
|
||||
|
||||
Replace all occurences of {SHARED_SECRET} in
|
||||
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
|
||||
|
||||
> **NOTE:** a token obtained from the Forgejo web interface cannot be used as a shared secret.
|
||||
|
||||
Replace {ROOT_PASSWORD} with a secure password in
|
||||
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
|
||||
|
||||
```sh
|
||||
docker-compose -f compose-forgejo-and-runner.yml up
|
||||
Creating docker-compose_docker-in-docker_1 ... done
|
||||
|
@ -27,17 +41,10 @@ To login the Forgejo instance:
|
|||
|
||||
* URL: http://0.0.0.0:8080
|
||||
* user: root
|
||||
* password: admin1234
|
||||
* password: {ROOT_PASSWORD}
|
||||
|
||||
`Forgejo Actions` is enabled by default when creating a repository.
|
||||
|
||||
### Security
|
||||
|
||||
This is a demo and **must not be used in production** because:
|
||||
|
||||
* the runner secret is hardcoded
|
||||
* the admin password is hardcoded to admin1234
|
||||
|
||||
## Tests workflow
|
||||
|
||||
The `compose-demo-workflow.yml` compose file runs a demo workflow to
|
||||
|
|
|
@ -25,7 +25,7 @@ services:
|
|||
git config user.name username ;
|
||||
git commit -m 'demo' ;
|
||||
while : ; do
|
||||
git push --set-upstream --force http://root:admin1234@forgejo:3000/root/test main && break ;
|
||||
git push --set-upstream --force http://root:{ROOT_PASSWORD}@forgejo:3000/root/test main && break ;
|
||||
sleep 5 ;
|
||||
done ;
|
||||
sha=`git rev-parse HEAD` ;
|
||||
|
|
|
@ -1,6 +1,19 @@
|
|||
# Copyright 2023 The Forgejo Authors.
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
#
|
||||
# Create a secret with:
|
||||
#
|
||||
# openssl rand -hex 20
|
||||
#
|
||||
# Replace all occurences of {SHARED_SECRET} below with the output.
|
||||
#
|
||||
# NOTE: a token obtained from the Forgejo web interface cannot be used
|
||||
# as a shared secret.
|
||||
#
|
||||
# Replace {ROOT_PASSWORD} with a secure password
|
||||
#
|
||||
|
||||
version: "3"
|
||||
|
||||
services:
|
||||
|
@ -16,8 +29,8 @@ services:
|
|||
bash -c '
|
||||
/bin/s6-svscan /etc/s6 &
|
||||
sleep 10 ;
|
||||
su -c "forgejo forgejo-cli actions register --secret e3359786173a7aeb3818c19637479c5dbd7c5abb --labels docker --version 3.0.0" git ;
|
||||
su -c "forgejo admin user create --admin --username root --password admin1234 --email root@example.com" git ;
|
||||
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels docker --version 3.0.0" git ;
|
||||
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
|
||||
sleep infinity
|
||||
'
|
||||
environment:
|
||||
|
@ -45,7 +58,7 @@ services:
|
|||
command: >-
|
||||
bash -c '
|
||||
while : ; do
|
||||
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret e3359786173a7aeb3818c19637479c5dbd7c5abb && break ;
|
||||
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
|
||||
sleep 1 ;
|
||||
done ;
|
||||
forgejo-runner generate-config > config.yml ;
|
||||
|
|
Loading…
Reference in New Issue