mirror of https://code.forgejo.org/forgejo/runner
Merge pull request 'secure the docker-compose example and explain the difference with the token' (#77) from earl-warren/runner:wip-docs into main
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/77pull/85/head
commit
8e93b0e8e8
|
@ -28,6 +28,8 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
set -x
|
set -x
|
||||||
cd examples/docker-compose
|
cd examples/docker-compose
|
||||||
|
secret=$(openssl rand -hex 20)
|
||||||
|
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
|
||||||
cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml"
|
cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml"
|
||||||
#
|
#
|
||||||
# Launch
|
# Launch
|
||||||
|
|
|
@ -8,6 +8,20 @@ used by the `Forgejo runner` to execute the workflows.
|
||||||
|
|
||||||
### Running
|
### Running
|
||||||
|
|
||||||
|
Create a shared secret with:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
openssl rand -hex 20
|
||||||
|
```
|
||||||
|
|
||||||
|
Replace all occurences of {SHARED_SECRET} in
|
||||||
|
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
|
||||||
|
|
||||||
|
> **NOTE:** a token obtained from the Forgejo web interface cannot be used as a shared secret.
|
||||||
|
|
||||||
|
Replace {ROOT_PASSWORD} with a secure password in
|
||||||
|
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker-compose -f compose-forgejo-and-runner.yml up
|
docker-compose -f compose-forgejo-and-runner.yml up
|
||||||
Creating docker-compose_docker-in-docker_1 ... done
|
Creating docker-compose_docker-in-docker_1 ... done
|
||||||
|
@ -27,17 +41,10 @@ To login the Forgejo instance:
|
||||||
|
|
||||||
* URL: http://0.0.0.0:8080
|
* URL: http://0.0.0.0:8080
|
||||||
* user: root
|
* user: root
|
||||||
* password: admin1234
|
* password: {ROOT_PASSWORD}
|
||||||
|
|
||||||
`Forgejo Actions` is enabled by default when creating a repository.
|
`Forgejo Actions` is enabled by default when creating a repository.
|
||||||
|
|
||||||
### Security
|
|
||||||
|
|
||||||
This is a demo and **must not be used in production** because:
|
|
||||||
|
|
||||||
* the runner secret is hardcoded
|
|
||||||
* the admin password is hardcoded to admin1234
|
|
||||||
|
|
||||||
## Tests workflow
|
## Tests workflow
|
||||||
|
|
||||||
The `compose-demo-workflow.yml` compose file runs a demo workflow to
|
The `compose-demo-workflow.yml` compose file runs a demo workflow to
|
||||||
|
|
|
@ -25,7 +25,7 @@ services:
|
||||||
git config user.name username ;
|
git config user.name username ;
|
||||||
git commit -m 'demo' ;
|
git commit -m 'demo' ;
|
||||||
while : ; do
|
while : ; do
|
||||||
git push --set-upstream --force http://root:admin1234@forgejo:3000/root/test main && break ;
|
git push --set-upstream --force http://root:{ROOT_PASSWORD}@forgejo:3000/root/test main && break ;
|
||||||
sleep 5 ;
|
sleep 5 ;
|
||||||
done ;
|
done ;
|
||||||
sha=`git rev-parse HEAD` ;
|
sha=`git rev-parse HEAD` ;
|
||||||
|
|
|
@ -1,6 +1,19 @@
|
||||||
# Copyright 2023 The Forgejo Authors.
|
# Copyright 2023 The Forgejo Authors.
|
||||||
# SPDX-License-Identifier: MIT
|
# SPDX-License-Identifier: MIT
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create a secret with:
|
||||||
|
#
|
||||||
|
# openssl rand -hex 20
|
||||||
|
#
|
||||||
|
# Replace all occurences of {SHARED_SECRET} below with the output.
|
||||||
|
#
|
||||||
|
# NOTE: a token obtained from the Forgejo web interface cannot be used
|
||||||
|
# as a shared secret.
|
||||||
|
#
|
||||||
|
# Replace {ROOT_PASSWORD} with a secure password
|
||||||
|
#
|
||||||
|
|
||||||
version: "3"
|
version: "3"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
@ -16,8 +29,8 @@ services:
|
||||||
bash -c '
|
bash -c '
|
||||||
/bin/s6-svscan /etc/s6 &
|
/bin/s6-svscan /etc/s6 &
|
||||||
sleep 10 ;
|
sleep 10 ;
|
||||||
su -c "forgejo forgejo-cli actions register --secret e3359786173a7aeb3818c19637479c5dbd7c5abb --labels docker --version 3.0.0" git ;
|
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels docker --version 3.0.0" git ;
|
||||||
su -c "forgejo admin user create --admin --username root --password admin1234 --email root@example.com" git ;
|
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
|
||||||
sleep infinity
|
sleep infinity
|
||||||
'
|
'
|
||||||
environment:
|
environment:
|
||||||
|
@ -45,7 +58,7 @@ services:
|
||||||
command: >-
|
command: >-
|
||||||
bash -c '
|
bash -c '
|
||||||
while : ; do
|
while : ; do
|
||||||
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret e3359786173a7aeb3818c19637479c5dbd7c5abb && break ;
|
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
|
||||||
sleep 1 ;
|
sleep 1 ;
|
||||||
done ;
|
done ;
|
||||||
forgejo-runner generate-config > config.yml ;
|
forgejo-runner generate-config > config.yml ;
|
||||||
|
|
Loading…
Reference in New Issue