fix: use new secrets

2025-07-21 04:45:02 +02:00 · 2022-12-22 14:44:22 +08:00 · 2022-12-22 14:44:22 +08:00 · 058675f7e5
commit 058675f7e5
parent d183b32aa8
7 changed files with 17 additions and 55 deletions
--- a/go.mod
+++ b/go.mod
@ -17,8 +17,8 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/PuerkitoBio/goquery v1.8.0
 	github.com/alecthomas/chroma/v2 v2.4.0
 	github.com/bufbuild/connect-go v1.3.1
 	github.com/blevesearch/bleve/v2 v2.3.5
 	github.com/bufbuild/connect-go v1.3.1
 	github.com/buildkite/terminal-to-html/v3 v3.7.0
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/chi-middleware/proxy v1.1.1
--- a/models/migrations/v1_19/v237.go
+++ b/models/migrations/v1_19/v237.go
@ -174,4 +174,3 @@ func AddActionsTables(x *xorm.Engine) error {
 		new(dbfsData),
 	)
 }
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -5,7 +5,6 @@
 package setting
 import (
 	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
 	"math"
@ -28,7 +27,6 @@ import (
 	"code.gitea.io/gitea/modules/user"
 	"code.gitea.io/gitea/modules/util"
 	"golang.org/x/crypto/pbkdf2"
 	gossh "golang.org/x/crypto/ssh"
 	ini "gopkg.in/ini.v1"
 )
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@ -46,7 +46,6 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/gitdiff"
 	secret_service "code.gitea.io/gitea/services/secrets"
 	"github.com/editorconfig/editorconfig-core-go/v2"
 )
@ -476,13 +475,6 @@ func NewFuncMap() []template.FuncMap {
 		"RefShortName": func(ref string) string {
 			return git.RefName(ref).ShortName()
 		},
 		"Shadow": func(s string) string {
 			return "******"
 		},
 		"DecryptSecret": func(s string) string {
 			v, _ := secret_service.DecryptString(s)
 			return v
 		},
 	}}
 }
--- a/routers/api/actions/runner/utils.go
+++ b/routers/api/actions/runner/utils.go
@ -8,11 +8,11 @@ import (
 	"fmt"
 	actions_model "code.gitea.io/gitea/models/actions"
-	"code.gitea.io/gitea/models/webhook"
+	secret_model "code.gitea.io/gitea/models/secret"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
 	secret_module "code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 	secret_service "code.gitea.io/gitea/services/secrets"
 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
 	"google.golang.org/protobuf/types/known/structpb"
@ -37,34 +37,31 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 }
 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
 	// Returning an error is worse than returning empty secrets.
 	secrets := map[string]string{}
 	if task.Job.Run.IsForkPullRequest {
 		// ignore secrets for fork pull request
 		return secrets
 	}
-	userSecrets, err := secret_service.FindUserSecrets(ctx, task.Job.Run.Repo.OwnerID)
+	ownerSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID})
 	if err != nil {
-		log.Error("find user secrets of %v: %v", task.Job.Run.Repo.OwnerID, err)
+		log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err)
 		// go on
 	}
-	repoSecrets, err := secret_service.FindRepoSecrets(ctx, task.Job.Run.RepoID)
+	repoSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID})
 	if err != nil {
-		log.Error("find repo secrets of %v: %v", task.Job.Run.RepoID, err)
+		log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err)
 		// go on
 	}
-	// FIXME: Not sure if it's the exact meaning of secret.PullRequest
+	for _, secret := range append(ownerSecrets, repoSecrets...) {
-	pullRequest := task.Job.Run.Event == webhook.HookEventPullRequest
+		if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil {
 	for _, secret := range append(userSecrets, repoSecrets...) {
 		if !pullRequest || secret.PullRequest {
 			if v, err := secret_service.DecryptString(secret.Data); err != nil {
 			log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
 			// go on
 		} else {
 			secrets[secret.Name] = v
 		}
 	}
 	}
 	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
 		secrets["GITHUB_TOKEN"] = task.Token
--- a/routers/init.go
+++ b/routers/init.go
@ -48,7 +48,6 @@ import (
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 	"code.gitea.io/gitea/services/repository/archiver"
 	secret_service "code.gitea.io/gitea/services/secrets"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
 )
@ -152,8 +151,6 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(models.Init)
 	mustInit(repo_service.Init)
 	mustInit(secret_service.Init)
 	// Booting long running goroutines.
 	issue_indexer.InitIssueIndexer(false)
 	code_indexer.Init()
--- a/services/secrets/encryption_aes_test.go
+++ b/services/secrets/encryption_aes_test.go
@ -1,21 +0,0 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package secrets
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestEncryptDecrypt(t *testing.T) {
 	provider := NewAesEncryptionProvider()
 	key := []byte("1111111111111111")
 	pri := "vvvvvvv"
 	enc, err := provider.EncryptString(pri, key)
 	assert.NoError(t, err)
 	v, err := provider.DecryptString(enc, key)
 	assert.NoError(t, err)
 	assert.EqualValues(t, pri, v)
 }