mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-03 21:32:36 +02:00
## Summary This PR adds **scoped workflows** to Gitea Actions. Workflows defined centrally in a "source" repository that automatically run on every repository in scope: an organization's repositories, or (for instance admins) every repository on the instance. Each scoped run executes in the consuming repository's own context (its runners, secrets, and branch) while its content is read from the source repository, so an org or instance can mandate shared CI across many repositories without copying workflow files into each one. An owner or instance admin registers source repositories on a settings page and can mark individual workflows as **required**. A required scoped workflow cannot be opted out by a consuming repository and gates its pull-request merges; an optional one can be disabled per repository. Scoped workflows live under a dedicated `SCOPED_WORKFLOW_DIRS` (default `.gitea/scoped_workflows`), kept separate from regular `WORKFLOW_DIRS`. ## Main changes ### Configuration New `SCOPED_WORKFLOW_DIRS` setting, validated to not overlap with `WORKFLOW_DIRS`. Default: `.gitea/scoped_workflows` ### Data model & migration - New `action_scoped_workflow_source` table mapping a registering owner (`owner_id`, where `0` = instance-level) to a source repository, with a per-workflow `WorkflowConfigs` map. - `ActionRun` gains `WorkflowRepoID` / `WorkflowCommitSHA` (the pinned content source) and an `IsScopedRun` flag. ### Detection & run creation On consumer events, scoped workflows from the effective sources (the owner's own sources plus instance-level ones) are matched and turned into runs that execute in the consumer's context, with content pinned to the source repo's default-branch commit. `on: workflow_run` and `on: schedule` are currently not supported. ### Opt-out A consuming repository can disable an optional scoped workflow (tracked separately from regular `DisabledWorkflows`); required scoped workflows can never be disabled, opted out, or bypassed. ### Commit status A scoped run's status context format is `"<source repo full name>: <workflow display name> / <job> (<event>)"` (for example: `my-org/scoped-workflows: db-tests / test-sqlite (pull_request)`), keeping it distinct from a same-named repo-level workflow and from other sources. ### Required status checks Admins mark workflows required and supply status-check patterns. `EffectiveRequiredContexts` appends those patterns to the branch protection's required contexts and they are matched must-present-and-pass. If the status checks from scoped workflows fail, the PR cannot be merged. NOTE: scoped workflows' required status checks patterns can protect any target branch that has a protection rule, even though the rule's "Status Check" is disabled. A target branch with no protection rule cannot be protected. <details> <summary>Screenshots</summary> <img width="1400" alt="image" src="https://github.com/user-attachments/assets/a5d1db33-15ec-487e-93be-2bc04b4e6643" /> </details> ### Reusable workflows (`uses:`) A scoped workflow's local `uses: ./...` resolves against the source repository. `uses:` directory validation honors the instance-configurable `WORKFLOW_DIRS` and `SCOPED_WORKFLOW_DIRS` (previously hardcoded to `.gitea`/`.github/workflows`). ### Manual dispatch `workflow_dispatch` is supported for scoped workflows (web and API), resolving inputs/content from the source repo. ### Performance A process-local LRU cache keyed by source repo ID for the per-source workflow parse, so instance-level and owner-level sources don't open the source repo and parse workflow files on every event. ### UI Org / user / admin pages to register and remove sources, search repositories, and mark workflows required with their status-check patterns. The repository Actions sidebar groups scoped workflows by source with owner/instance labels and required/disabled badges. <details> <summary>Screenshots</summary> Scoped workflows setting page: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/9d19f667-97a5-4935-92b2-e53f105e3642" /> Consumer repo's Actions runs list: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/a77241f9-0aa9-41aa-ba73-12a9a688cb64" /> - `Owner`: this is a owner-level scoped workflows source repo - `Global`: this is a global scoped workflows source repo - `Required`: this scoped workflow is required, repo admin cannot disable it </details> --- Docs: https://gitea.com/gitea/docs/pulls/447 --------- Co-authored-by: bircni <bircni@icloud.com>
180 lines
7.4 KiB
Go
180 lines
7.4 KiB
Go
// Copyright 2026 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package actions
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"gitea.dev/models/db"
|
|
repo_model "gitea.dev/models/repo"
|
|
"gitea.dev/modules/timeutil"
|
|
"gitea.dev/modules/util"
|
|
|
|
"xorm.io/builder"
|
|
)
|
|
|
|
// ActionScopedWorkflowSource registers a repository as a source of scoped workflows, either for an owner (user/org) or for the whole instance.
|
|
type ActionScopedWorkflowSource struct {
|
|
ID int64 `xorm:"pk autoincr"`
|
|
|
|
// OwnerID is the scope the source applies to: a user/org ID (applies to that owner's repos), or 0 for instance-level (applies to every repo).
|
|
OwnerID int64 `xorm:"UNIQUE(owner_repo) NOT NULL DEFAULT 0"`
|
|
// SourceRepoID is the source repository providing the workflow files; always non-zero.
|
|
SourceRepoID int64 `xorm:"INDEX UNIQUE(owner_repo) NOT NULL DEFAULT 0"`
|
|
|
|
// WorkflowConfigs maps a workflow ID (entry name) to its merge-gate config.
|
|
WorkflowConfigs map[string]*ScopedWorkflowConfig `xorm:"JSON TEXT 'workflow_configs'"`
|
|
|
|
CreatedUnix timeutil.TimeStamp `xorm:"created"`
|
|
UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
|
|
}
|
|
|
|
// ScopedWorkflowConfig is one scoped workflow's config within a source registration.
|
|
type ScopedWorkflowConfig struct {
|
|
Required bool `json:"required"`
|
|
Patterns []string `json:"patterns"` // the status-check patterns that must be present and pass, only effective when Required is true
|
|
}
|
|
|
|
func init() {
|
|
db.RegisterModel(new(ActionScopedWorkflowSource))
|
|
}
|
|
|
|
// IsWorkflowRequired reports whether the given workflow ID (entry name) is marked required in this source.
|
|
func (s *ActionScopedWorkflowSource) IsWorkflowRequired(workflowID string) bool {
|
|
c, ok := s.WorkflowConfigs[workflowID]
|
|
return ok && c.Required
|
|
}
|
|
|
|
type FindScopedWorkflowSourceOpts struct {
|
|
db.ListOptions
|
|
OwnerIDs []int64
|
|
SourceRepoID int64
|
|
}
|
|
|
|
func (opts FindScopedWorkflowSourceOpts) ToConds() builder.Cond {
|
|
cond := builder.NewCond()
|
|
if len(opts.OwnerIDs) > 0 {
|
|
cond = cond.And(builder.In("owner_id", opts.OwnerIDs))
|
|
}
|
|
if opts.SourceRepoID != 0 {
|
|
cond = cond.And(builder.Eq{"source_repo_id": opts.SourceRepoID})
|
|
}
|
|
return cond
|
|
}
|
|
|
|
// GetEffectiveScopedWorkflowSources returns the scoped-workflow sources effective for a repo owned by repoOwnerID:
|
|
// the owner's own sources plus instance-level (owner_id=0) sources.
|
|
func GetEffectiveScopedWorkflowSources(ctx context.Context, repoOwnerID int64) ([]*ActionScopedWorkflowSource, error) {
|
|
owners := []int64{0}
|
|
if repoOwnerID != 0 {
|
|
owners = append(owners, repoOwnerID)
|
|
}
|
|
return db.Find[ActionScopedWorkflowSource](ctx, FindScopedWorkflowSourceOpts{OwnerIDs: owners})
|
|
}
|
|
|
|
// IsScopedWorkflowSourceEffective reports whether sourceRepoID is a scoped-workflow source effective for a repo owned by repoOwnerID.
|
|
func IsScopedWorkflowSourceEffective(ctx context.Context, repoOwnerID, sourceRepoID int64) (bool, error) {
|
|
owners := []int64{0}
|
|
if repoOwnerID != 0 {
|
|
owners = append(owners, repoOwnerID)
|
|
}
|
|
return db.Exist[ActionScopedWorkflowSource](ctx, FindScopedWorkflowSourceOpts{OwnerIDs: owners, SourceRepoID: sourceRepoID}.ToConds())
|
|
}
|
|
|
|
// IsWorkflowRequiredInSources reports whether workflowID from sourceRepoID is required by any of the given sources.
|
|
func IsWorkflowRequiredInSources(sources []*ActionScopedWorkflowSource, sourceRepoID int64, workflowID string) bool {
|
|
for _, s := range sources {
|
|
if s.SourceRepoID == sourceRepoID && s.IsWorkflowRequired(workflowID) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// ScopedStatusContextPrefix returns the source-repo prefix that makes a scoped run's commit-status context distinct from same-named workflows.
|
|
func ScopedStatusContextPrefix(ctx context.Context, sourceRepoID int64) string {
|
|
if sourceRepo, err := repo_model.GetRepositoryByID(ctx, sourceRepoID); err == nil {
|
|
return sourceRepo.FullName()
|
|
}
|
|
return fmt.Sprintf("scoped:%d", sourceRepoID)
|
|
}
|
|
|
|
// IsScopedWorkflowRequired reports whether workflowID from sourceRepoID is required for a repo owned by consumerOwnerID.
|
|
func IsScopedWorkflowRequired(ctx context.Context, consumerOwnerID, sourceRepoID int64, workflowID string) (bool, error) {
|
|
sources, err := GetEffectiveScopedWorkflowSources(ctx, consumerOwnerID)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return IsWorkflowRequiredInSources(sources, sourceRepoID, workflowID), nil
|
|
}
|
|
|
|
// IsScopedWorkflowOptedOutloads the consumer's effective sources then calls ScopedWorkflowOptedOut
|
|
func IsScopedWorkflowOptedOut(ctx context.Context, cfg *repo_model.ActionsConfig, consumerOwnerID, sourceRepoID int64, workflowID string) (bool, error) {
|
|
if !cfg.IsScopedWorkflowDisabled(sourceRepoID, workflowID) {
|
|
return false, nil
|
|
}
|
|
sources, err := GetEffectiveScopedWorkflowSources(ctx, consumerOwnerID)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return ScopedWorkflowOptedOut(cfg, sources, sourceRepoID, workflowID), nil
|
|
}
|
|
|
|
// ScopedWorkflowOptedOut reports whether a consumer's opt-out of (sourceRepoID, workflowID) is in effect.
|
|
func ScopedWorkflowOptedOut(cfg *repo_model.ActionsConfig, sources []*ActionScopedWorkflowSource, sourceRepoID int64, workflowID string) bool {
|
|
return !IsWorkflowRequiredInSources(sources, sourceRepoID, workflowID) && cfg.IsScopedWorkflowDisabled(sourceRepoID, workflowID)
|
|
}
|
|
|
|
// GetScopedWorkflowSourcesByOwner returns the sources an owner (user/org, or 0 for instance) registered.
|
|
func GetScopedWorkflowSourcesByOwner(ctx context.Context, ownerID int64) ([]*ActionScopedWorkflowSource, error) {
|
|
return db.Find[ActionScopedWorkflowSource](ctx, FindScopedWorkflowSourceOpts{OwnerIDs: []int64{ownerID}})
|
|
}
|
|
|
|
// GetScopedWorkflowSource returns the (owner, repo) source registration or a NotExist error.
|
|
func GetScopedWorkflowSource(ctx context.Context, ownerID, repoID int64) (*ActionScopedWorkflowSource, error) {
|
|
src := &ActionScopedWorkflowSource{}
|
|
has, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Get(src)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !has {
|
|
return nil, util.NewNotExistErrorf("scoped workflow source (owner %d, repo %d) does not exist", ownerID, repoID)
|
|
}
|
|
return src, nil
|
|
}
|
|
|
|
// AddScopedWorkflowSource registers repoID as a source for ownerID (no-op if already registered).
|
|
func AddScopedWorkflowSource(ctx context.Context, ownerID, repoID int64) error {
|
|
exists, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Exist(new(ActionScopedWorkflowSource))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if exists {
|
|
return nil
|
|
}
|
|
if err := db.Insert(ctx, &ActionScopedWorkflowSource{OwnerID: ownerID, SourceRepoID: repoID}); err != nil {
|
|
// Re-check and treat an already-present row as the intended no-op.
|
|
if exists, existErr := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Exist(new(ActionScopedWorkflowSource)); existErr == nil && exists {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SetScopedWorkflowSourceConfigs replaces the per-workflow merge-gate configs (workflow ID -> config).
|
|
func SetScopedWorkflowSourceConfigs(ctx context.Context, ownerID, repoID int64, configs map[string]*ScopedWorkflowConfig) error {
|
|
_, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).
|
|
Cols("workflow_configs").
|
|
Update(&ActionScopedWorkflowSource{WorkflowConfigs: configs})
|
|
return err
|
|
}
|
|
|
|
// RemoveScopedWorkflowSource removes the (owner, repo) source registration.
|
|
func RemoveScopedWorkflowSource(ctx context.Context, ownerID, repoID int64) error {
|
|
_, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Delete(new(ActionScopedWorkflowSource))
|
|
return err
|
|
}
|