diff --git a/.forgejo/workflows/example-docker-compose.yml b/.forgejo/workflows/example-docker-compose.yml index 465e80b..557d9d4 100644 --- a/.forgejo/workflows/example-docker-compose.yml +++ b/.forgejo/workflows/example-docker-compose.yml @@ -28,6 +28,8 @@ jobs: run: | set -x cd examples/docker-compose + secret=$(openssl rand -hex 20) + sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml" # # Launch diff --git a/examples/docker-compose/README.md b/examples/docker-compose/README.md index 166fc41..a9c3dfe 100644 --- a/examples/docker-compose/README.md +++ b/examples/docker-compose/README.md @@ -8,6 +8,20 @@ used by the `Forgejo runner` to execute the workflows. ### Running +Create a shared secret with: + +```sh +openssl rand -hex 20 +``` + +Replace all occurences of {SHARED_SECRET} in +[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml). + +> **NOTE:** a token obtained from the Forgejo web interface cannot be used as a shared secret. + +Replace {ROOT_PASSWORD} with a secure password in +[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml). + ```sh docker-compose -f compose-forgejo-and-runner.yml up Creating docker-compose_docker-in-docker_1 ... done @@ -27,17 +41,10 @@ To login the Forgejo instance: * URL: http://0.0.0.0:8080 * user: root -* password: admin1234 +* password: {ROOT_PASSWORD} `Forgejo Actions` is enabled by default when creating a repository. -### Security - -This is a demo and **must not be used in production** because: - -* the runner secret is hardcoded -* the admin password is hardcoded to admin1234 - ## Tests workflow The `compose-demo-workflow.yml` compose file runs a demo workflow to diff --git a/examples/docker-compose/compose-demo-workflow.yml b/examples/docker-compose/compose-demo-workflow.yml index 2f61d4a..1ce2fee 100644 --- a/examples/docker-compose/compose-demo-workflow.yml +++ b/examples/docker-compose/compose-demo-workflow.yml @@ -25,7 +25,7 @@ services: git config user.name username ; git commit -m 'demo' ; while : ; do - git push --set-upstream --force http://root:admin1234@forgejo:3000/root/test main && break ; + git push --set-upstream --force http://root:{ROOT_PASSWORD}@forgejo:3000/root/test main && break ; sleep 5 ; done ; sha=`git rev-parse HEAD` ; diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml index 75ca5c1..be44175 100644 --- a/examples/docker-compose/compose-forgejo-and-runner.yml +++ b/examples/docker-compose/compose-forgejo-and-runner.yml @@ -1,6 +1,19 @@ # Copyright 2023 The Forgejo Authors. # SPDX-License-Identifier: MIT +# +# Create a secret with: +# +# openssl rand -hex 20 +# +# Replace all occurences of {SHARED_SECRET} below with the output. +# +# NOTE: a token obtained from the Forgejo web interface cannot be used +# as a shared secret. +# +# Replace {ROOT_PASSWORD} with a secure password +# + version: "3" services: @@ -16,8 +29,8 @@ services: bash -c ' /bin/s6-svscan /etc/s6 & sleep 10 ; - su -c "forgejo forgejo-cli actions register --secret e3359786173a7aeb3818c19637479c5dbd7c5abb --labels docker --version 3.0.0" git ; - su -c "forgejo admin user create --admin --username root --password admin1234 --email root@example.com" git ; + su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels docker --version 3.0.0" git ; + su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ; sleep infinity ' environment: @@ -45,7 +58,7 @@ services: command: >- bash -c ' while : ; do - forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret e3359786173a7aeb3818c19637479c5dbd7c5abb && break ; + forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ; sleep 1 ; done ; forgejo-runner generate-config > config.yml ;