Fix security issues with cache by proxying access (#503)

This is the forgejo-runner-side patch for a partial overhaul of the cache system to fix some access control issues with caches. This code depends on changes in act which are being reviewed here: forgejo/act#107 Co-authored-by: Michael Kriese <michael.kriese@visualon.de> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/502 Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/503 Reviewed-by: Gusted <gusted@noreply.code.forgejo.org> Co-authored-by: Kwonunn <kwonunnx@gmail.com> Co-committed-by: Kwonunn <kwonunnx@gmail.com>
2025-03-22 00:03:09 +00:00 · 2025-03-22 00:03:09 +00:00 · 46eb63a952
commit 46eb63a952
parent e5e28d16a5
8 changed files with 139 additions and 38 deletions
--- a/internal/pkg/config/config.example.yaml
+++ b/internal/pkg/config/config.example.yaml
@ -58,10 +58,19 @@ cache:
  # The port of the cache server.
  # 0 means to use a random available port.
  port: 0
+  # The port of the cache proxy.
+  # 0 means to use a random available port.
+  proxy_port: 0
  # The external cache server URL. Valid only when enable is true.
  # If it's specified, it will be used to set the ACTIONS_CACHE_URL environment variable. The URL should generally end with "/".
  # Otherwise it will be set to the the URL of the internal cache server.
  external_server: ""
+  # The shared cache secret. When communicating with a cache server, the runner uses this secret to verify the authenticity of the cache requests.
+  # When using an external cache server it is required to set the same secret for the runner and the cache server.
+  secret: ""
+  # Overrides the ACTIONS_CACHE_URL passed to workflow containers. This should only be used if the runner host is not reachable from the
+  # workflow containers, and requires further setup.
+  actions_cache_url_override: ""

 container:
  # Specifies the network to which the container will connect.
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@ -37,11 +37,14 @@ type Runner struct {

 // Cache represents the configuration for caching.
 type Cache struct {
-	Enabled        *bool  `yaml:"enabled"`         // Enabled indicates whether caching is enabled. It is a pointer to distinguish between false and not set. If not set, it will be true.
-	Dir            string `yaml:"dir"`             // Dir specifies the directory path for caching.
-	Host           string `yaml:"host"`            // Host specifies the caching host.
-	Port           uint16 `yaml:"port"`            // Port specifies the caching port.
-	ExternalServer string `yaml:"external_server"` // ExternalServer specifies the URL of external cache server
+	Enabled                 *bool  `yaml:"enabled"`                    // Enabled indicates whether caching is enabled. It is a pointer to distinguish between false and not set. If not set, it will be true.
+	Dir                     string `yaml:"dir"`                        // Dir specifies the directory path for caching.
+	Host                    string `yaml:"host"`                       // Host specifies the caching host.
+	Port                    uint16 `yaml:"port"`                       // Port specifies the caching port.
+	ProxyPort               uint16 `yaml:"proxy_port"`                 // ProxyPort specifies the cache proxy port.
+	ExternalServer          string `yaml:"external_server"`            // ExternalServer specifies the URL of external cache server
+	ActionsCacheUrlOverride string `yaml:"actions_cache_url_override"` // Allows the user to override the ACTIONS_CACHE_URL passed to the workflow containers
+	Secret                  string `yaml:"secret"`                     // Shared secret to secure caches.
 }

 // Container represents the configuration for the container.