mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-01 05:04:42 +02:00
## Summary This PR adds **scoped workflows** to Gitea Actions. Workflows defined centrally in a "source" repository that automatically run on every repository in scope: an organization's repositories, or (for instance admins) every repository on the instance. Each scoped run executes in the consuming repository's own context (its runners, secrets, and branch) while its content is read from the source repository, so an org or instance can mandate shared CI across many repositories without copying workflow files into each one. An owner or instance admin registers source repositories on a settings page and can mark individual workflows as **required**. A required scoped workflow cannot be opted out by a consuming repository and gates its pull-request merges; an optional one can be disabled per repository. Scoped workflows live under a dedicated `SCOPED_WORKFLOW_DIRS` (default `.gitea/scoped_workflows`), kept separate from regular `WORKFLOW_DIRS`. ## Main changes ### Configuration New `SCOPED_WORKFLOW_DIRS` setting, validated to not overlap with `WORKFLOW_DIRS`. Default: `.gitea/scoped_workflows` ### Data model & migration - New `action_scoped_workflow_source` table mapping a registering owner (`owner_id`, where `0` = instance-level) to a source repository, with a per-workflow `WorkflowConfigs` map. - `ActionRun` gains `WorkflowRepoID` / `WorkflowCommitSHA` (the pinned content source) and an `IsScopedRun` flag. ### Detection & run creation On consumer events, scoped workflows from the effective sources (the owner's own sources plus instance-level ones) are matched and turned into runs that execute in the consumer's context, with content pinned to the source repo's default-branch commit. `on: workflow_run` and `on: schedule` are currently not supported. ### Opt-out A consuming repository can disable an optional scoped workflow (tracked separately from regular `DisabledWorkflows`); required scoped workflows can never be disabled, opted out, or bypassed. ### Commit status A scoped run's status context format is `"<source repo full name>: <workflow display name> / <job> (<event>)"` (for example: `my-org/scoped-workflows: db-tests / test-sqlite (pull_request)`), keeping it distinct from a same-named repo-level workflow and from other sources. ### Required status checks Admins mark workflows required and supply status-check patterns. `EffectiveRequiredContexts` appends those patterns to the branch protection's required contexts and they are matched must-present-and-pass. If the status checks from scoped workflows fail, the PR cannot be merged. NOTE: scoped workflows' required status checks patterns can protect any target branch that has a protection rule, even though the rule's "Status Check" is disabled. A target branch with no protection rule cannot be protected. <details> <summary>Screenshots</summary> <img width="1400" alt="image" src="https://github.com/user-attachments/assets/a5d1db33-15ec-487e-93be-2bc04b4e6643" /> </details> ### Reusable workflows (`uses:`) A scoped workflow's local `uses: ./...` resolves against the source repository. `uses:` directory validation honors the instance-configurable `WORKFLOW_DIRS` and `SCOPED_WORKFLOW_DIRS` (previously hardcoded to `.gitea`/`.github/workflows`). ### Manual dispatch `workflow_dispatch` is supported for scoped workflows (web and API), resolving inputs/content from the source repo. ### Performance A process-local LRU cache keyed by source repo ID for the per-source workflow parse, so instance-level and owner-level sources don't open the source repo and parse workflow files on every event. ### UI Org / user / admin pages to register and remove sources, search repositories, and mark workflows required with their status-check patterns. The repository Actions sidebar groups scoped workflows by source with owner/instance labels and required/disabled badges. <details> <summary>Screenshots</summary> Scoped workflows setting page: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/9d19f667-97a5-4935-92b2-e53f105e3642" /> Consumer repo's Actions runs list: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/a77241f9-0aa9-41aa-ba73-12a9a688cb64" /> - `Owner`: this is a owner-level scoped workflows source repo - `Global`: this is a global scoped workflows source repo - `Required`: this scoped workflow is required, repo admin cannot disable it </details> --- Docs: https://gitea.com/gitea/docs/pulls/447 --------- Co-authored-by: bircni <bircni@icloud.com>
396 lines
13 KiB
Go
396 lines
13 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package actions
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"gitea.dev/models/db"
|
|
repo_model "gitea.dev/models/repo"
|
|
user_model "gitea.dev/models/user"
|
|
"gitea.dev/modules/git"
|
|
"gitea.dev/modules/json"
|
|
"gitea.dev/modules/log"
|
|
"gitea.dev/modules/setting"
|
|
api "gitea.dev/modules/structs"
|
|
"gitea.dev/modules/timeutil"
|
|
"gitea.dev/modules/util"
|
|
webhook_module "gitea.dev/modules/webhook"
|
|
|
|
"xorm.io/builder"
|
|
)
|
|
|
|
// ActionRun represents a run of a workflow file
|
|
type ActionRun struct {
|
|
ID int64
|
|
Title string
|
|
RepoID int64 `xorm:"unique(repo_index)"`
|
|
Repo *repo_model.Repository `xorm:"-"`
|
|
OwnerID int64 `xorm:"index"`
|
|
WorkflowID string `xorm:"index"` // the name of workflow file
|
|
Index int64 `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
|
|
TriggerUserID int64 `xorm:"index"`
|
|
TriggerUser *user_model.User `xorm:"-"`
|
|
ScheduleID int64
|
|
Ref string `xorm:"index"` // the commit/tag/… that caused the run
|
|
IsRefDeleted bool `xorm:"-"`
|
|
CommitSHA string
|
|
IsForkPullRequest bool // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
|
|
NeedApproval bool // may need approval if it's a fork pull request
|
|
ApprovedBy int64 `xorm:"index"` // who approved
|
|
Event webhook_module.HookEventType // the webhook event that causes the workflow to run
|
|
EventPayload string `xorm:"LONGTEXT"`
|
|
TriggerEvent string // the trigger event defined in the `on` configuration of the triggered workflow
|
|
Status Status `xorm:"index"`
|
|
Version int `xorm:"version default 0"` // Status could be updated concomitantly, so an optimistic lock is needed
|
|
RawConcurrency string // raw concurrency
|
|
|
|
// WorkflowRepoID/WorkflowCommitSHA record the (repo, commit) the run's workflow file content came from.
|
|
// Always filled (repo-level run = the repo itself; scoped run = the source repo).
|
|
WorkflowRepoID int64 `xorm:"NOT NULL DEFAULT 0"`
|
|
WorkflowCommitSHA string `xorm:"VARCHAR(64) NOT NULL DEFAULT ''"`
|
|
|
|
IsScopedRun bool `xorm:"NOT NULL DEFAULT false"` // IsScopedRun explicitly classifies scoped runs.
|
|
|
|
// Started and Stopped are identical to the latest attempt after ActionRunAttempt was introduced.
|
|
// When a rerun creates a new latest attempt, they are reset until the new attempt starts and stops.
|
|
Started timeutil.TimeStamp
|
|
Stopped timeutil.TimeStamp
|
|
|
|
// PreviousDuration is kept only for legacy runs created before ActionRunAttempt existed.
|
|
// New runs and reruns no longer update this field and use attempt-scoped durations instead.
|
|
PreviousDuration time.Duration
|
|
|
|
LatestAttemptID int64 `xorm:"index NOT NULL DEFAULT 0"`
|
|
|
|
Created timeutil.TimeStamp `xorm:"created"`
|
|
Updated timeutil.TimeStamp `xorm:"updated"`
|
|
}
|
|
|
|
func init() {
|
|
db.RegisterModel(new(ActionRun))
|
|
db.RegisterModel(new(ActionRunIndex))
|
|
}
|
|
|
|
func (run *ActionRun) HTMLURL(ctxOpt ...context.Context) string {
|
|
if run.Repo == nil {
|
|
return ""
|
|
}
|
|
return fmt.Sprintf("%s/actions/runs/%d", run.Repo.HTMLURL(ctxOpt...), run.ID)
|
|
}
|
|
|
|
func (run *ActionRun) Link() string {
|
|
if run.Repo == nil {
|
|
return ""
|
|
}
|
|
return fmt.Sprintf("%s/actions/runs/%d", run.Repo.Link(), run.ID)
|
|
}
|
|
|
|
func (run *ActionRun) WorkflowLink() string {
|
|
if run.Repo == nil {
|
|
return ""
|
|
}
|
|
// A scoped run's workflow is disambiguated by its source repo, so carry scoped_workflow_source_repo_id back to the run list
|
|
if run.IsScopedRun {
|
|
return fmt.Sprintf("%s/actions/?workflow=%s&scoped_workflow_source_repo_id=%d", run.Repo.Link(), url.QueryEscape(run.WorkflowID), run.WorkflowRepoID)
|
|
}
|
|
return fmt.Sprintf("%s/actions/?workflow=%s", run.Repo.Link(), url.QueryEscape(run.WorkflowID))
|
|
}
|
|
|
|
// RefLink return the url of run's ref
|
|
func (run *ActionRun) RefLink() string {
|
|
refName := git.RefName(run.Ref)
|
|
if refName.IsPull() {
|
|
return run.Repo.Link() + "/pulls/" + refName.ShortName()
|
|
}
|
|
return run.Repo.Link() + "/src/" + refName.RefWebLinkPath()
|
|
}
|
|
|
|
// PrettyRef return #id for pull ref or ShortName for others
|
|
func (run *ActionRun) PrettyRef() string {
|
|
refName := git.RefName(run.Ref)
|
|
if refName.IsPull() {
|
|
return "#" + strings.TrimSuffix(strings.TrimPrefix(run.Ref, git.PullPrefix), "/head")
|
|
}
|
|
return refName.ShortName()
|
|
}
|
|
|
|
// RefTooltip return a tooltop of run's ref. For pull request, it's the title of the PR, otherwise it's the ShortName.
|
|
func (run *ActionRun) RefTooltip() string {
|
|
payload, err := run.GetPullRequestEventPayload()
|
|
if err == nil && payload != nil && payload.PullRequest != nil {
|
|
return payload.PullRequest.Title
|
|
}
|
|
return git.RefName(run.Ref).ShortName()
|
|
}
|
|
|
|
// LoadAttributes load Repo TriggerUser if not loaded
|
|
func (run *ActionRun) LoadAttributes(ctx context.Context) error {
|
|
if err := run.LoadRepo(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := run.Repo.LoadAttributes(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
return run.LoadTriggerUser(ctx)
|
|
}
|
|
|
|
func (run *ActionRun) LoadTriggerUser(ctx context.Context) (err error) {
|
|
if run.TriggerUser != nil {
|
|
return nil
|
|
}
|
|
run.TriggerUserID, run.TriggerUser, err = user_model.GetPossibleUserByID(ctx, run.TriggerUserID)
|
|
return err
|
|
}
|
|
|
|
func (run *ActionRun) LoadRepo(ctx context.Context) error {
|
|
if run.Repo != nil {
|
|
return nil
|
|
}
|
|
|
|
repo, err := repo_model.GetRepositoryByID(ctx, run.RepoID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
run.Repo = repo
|
|
return nil
|
|
}
|
|
|
|
func (run *ActionRun) Duration() time.Duration {
|
|
d := calculateDuration(run.Started, run.Stopped, run.Status, run.Updated) + run.PreviousDuration
|
|
if d < 0 {
|
|
return 0
|
|
}
|
|
return d
|
|
}
|
|
|
|
// GetLatestAttempt returns
|
|
// - the latest attempt of the run
|
|
// - (nil, false, nil) for legacy runs that have no attempt records
|
|
func (run *ActionRun) GetLatestAttempt(ctx context.Context) (*ActionRunAttempt, bool, error) {
|
|
if run.LatestAttemptID == 0 {
|
|
return nil, false, nil
|
|
}
|
|
attempt, err := GetRunAttemptByRepoAndID(ctx, run.RepoID, run.LatestAttemptID)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
return attempt, true, nil
|
|
}
|
|
|
|
func (run *ActionRun) GetEffectiveConcurrency(ctx context.Context) (string, bool, error) {
|
|
attempt, has, err := run.GetLatestAttempt(ctx)
|
|
if err != nil {
|
|
return "", false, err
|
|
}
|
|
if has {
|
|
return attempt.ConcurrencyGroup, attempt.ConcurrencyCancel, nil
|
|
}
|
|
return "", false, nil
|
|
}
|
|
|
|
func (run *ActionRun) GetPushEventPayload() (*api.PushPayload, error) {
|
|
if run.Event == webhook_module.HookEventPush {
|
|
var payload api.PushPayload
|
|
if err := json.Unmarshal([]byte(run.EventPayload), &payload); err != nil {
|
|
return nil, err
|
|
}
|
|
return &payload, nil
|
|
}
|
|
return nil, fmt.Errorf("event %s is not a push event", run.Event)
|
|
}
|
|
|
|
func (run *ActionRun) GetPullRequestEventPayload() (*api.PullRequestPayload, error) {
|
|
if run.Event.IsPullRequest() || run.Event.IsPullRequestReview() {
|
|
var payload api.PullRequestPayload
|
|
if err := json.Unmarshal([]byte(run.EventPayload), &payload); err != nil {
|
|
return nil, err
|
|
}
|
|
return &payload, nil
|
|
}
|
|
return nil, fmt.Errorf("event %s is not a pull request event", run.Event)
|
|
}
|
|
|
|
func (run *ActionRun) GetWorkflowRunEventPayload() (*api.WorkflowRunPayload, error) {
|
|
if run.Event == webhook_module.HookEventWorkflowRun {
|
|
var payload api.WorkflowRunPayload
|
|
if err := json.Unmarshal([]byte(run.EventPayload), &payload); err != nil {
|
|
return nil, err
|
|
}
|
|
return &payload, nil
|
|
}
|
|
return nil, fmt.Errorf("event %s is not a workflow run event", run.Event)
|
|
}
|
|
|
|
func (run *ActionRun) IsSchedule() bool {
|
|
return run.ScheduleID > 0
|
|
}
|
|
|
|
// UpdateRepoRunsNumbers updates the number of runs and closed runs of a repository.
|
|
// Callers MUST invoke this from outside any transaction that has X-locked action_run rows for the same repo, otherwise, transaction deadlock
|
|
func UpdateRepoRunsNumbers(ctx context.Context, repoID int64) {
|
|
if db.InTransaction(ctx) {
|
|
setting.PanicInDevOrTesting("UpdateRepoRunsNumbers must not be called inside a transaction")
|
|
}
|
|
|
|
e := db.GetEngine(ctx)
|
|
|
|
numActionRuns, err := e.Where("repo_id = ?", repoID).Count(new(ActionRun))
|
|
if err != nil {
|
|
log.Error("UpdateRepoRunsNumbers count num_action_runs for repo %d: %v", repoID, err)
|
|
return
|
|
}
|
|
|
|
numClosedActionRuns, err := e.Where("repo_id = ?", repoID).
|
|
In("status", StatusSuccess, StatusFailure, StatusCancelled, StatusSkipped).
|
|
Count(new(ActionRun))
|
|
if err != nil {
|
|
log.Error("UpdateRepoRunsNumbers count num_closed_action_runs for repo %d: %v", repoID, err)
|
|
return
|
|
}
|
|
|
|
if _, err := e.ID(repoID).Cols("num_action_runs", "num_closed_action_runs").NoAutoTime().Update(&repo_model.Repository{
|
|
NumActionRuns: int(numActionRuns),
|
|
NumClosedActionRuns: int(numClosedActionRuns),
|
|
}); err != nil {
|
|
log.Error("UpdateRepoRunsNumbers update repo %d: %v", repoID, err)
|
|
}
|
|
}
|
|
|
|
func GetRunByRepoAndID(ctx context.Context, repoID, runID int64) (*ActionRun, error) {
|
|
var run ActionRun
|
|
has, err := db.GetEngine(ctx).Where("id=? AND repo_id=?", runID, repoID).Get(&run)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, fmt.Errorf("run with id %d: %w", runID, util.ErrNotExist)
|
|
}
|
|
|
|
return &run, nil
|
|
}
|
|
|
|
func GetRunByRepoAndIndex(ctx context.Context, repoID, runIndex int64) (*ActionRun, error) {
|
|
run, has, err := db.Get[ActionRun](ctx, builder.Eq{"repo_id": repoID, "`index`": runIndex})
|
|
if err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, fmt.Errorf("run with repo_id %d and index %d: %w", repoID, runIndex, util.ErrNotExist)
|
|
}
|
|
|
|
return run, nil
|
|
}
|
|
|
|
func GetLatestRun(ctx context.Context, repoID int64) (*ActionRun, error) {
|
|
run := &ActionRun{}
|
|
has, err := db.GetEngine(ctx).Where("repo_id=?", repoID).Desc("index").Get(run)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, fmt.Errorf("latest run with repo_id %d: %w", repoID, util.ErrNotExist)
|
|
}
|
|
return run, nil
|
|
}
|
|
|
|
func GetWorkflowLatestRun(ctx context.Context, repoID int64, workflowFile, branch, event string) (*ActionRun, error) {
|
|
var run ActionRun
|
|
q := db.GetEngine(ctx).Where("repo_id=?", repoID).
|
|
And("ref = ?", branch).
|
|
And("workflow_id = ?", workflowFile).
|
|
// TODO: the badge only reflects the repo's own (repo-level) runs; a same-named scoped run must not leak in.
|
|
// Support a scoped-workflow badge later by making this source-aware.
|
|
And("is_scoped_run = ?", false)
|
|
if event != "" {
|
|
q.And("event = ?", event)
|
|
}
|
|
has, err := q.Desc("id").Get(&run)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if !has {
|
|
return nil, util.NewNotExistErrorf("run with repo_id %d, ref %s, workflow_id %s", repoID, branch, workflowFile)
|
|
}
|
|
return &run, nil
|
|
}
|
|
|
|
// UpdateRun updates a run.
|
|
// It requires the inputted run has Version set.
|
|
// It will return error if the version is not matched (it means the run has been changed after loaded).
|
|
func UpdateRun(ctx context.Context, run *ActionRun, cols ...string) error {
|
|
sess := db.GetEngine(ctx).ID(run.ID)
|
|
if len(cols) > 0 {
|
|
sess.Cols(cols...)
|
|
}
|
|
run.Title = util.EllipsisDisplayString(run.Title, 255)
|
|
affected, err := sess.Update(run)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if affected == 0 {
|
|
return errors.New("run has changed")
|
|
// It's impossible that the run is not found, since Gitea never deletes runs.
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
type ActionRunIndex db.ResourceIndex
|
|
|
|
// GetConcurrentRunAttemptsAndJobs returns run attempts and jobs in the same concurrency group by statuses.
|
|
func GetConcurrentRunAttemptsAndJobs(ctx context.Context, repoID int64, concurrencyGroup string, status []Status) ([]*ActionRunAttempt, []*ActionRunJob, error) {
|
|
attempts, err := FindConcurrentRunAttempts(ctx, repoID, concurrencyGroup, status)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("find run attempts: %w", err)
|
|
}
|
|
|
|
jobs, err := db.Find[ActionRunJob](ctx, &FindRunJobOptions{
|
|
RepoID: repoID,
|
|
ConcurrencyGroup: concurrencyGroup,
|
|
Statuses: status,
|
|
})
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("find jobs: %w", err)
|
|
}
|
|
|
|
return attempts, jobs, nil
|
|
}
|
|
|
|
func CancelPreviousJobsByRunConcurrency(ctx context.Context, attempt *ActionRunAttempt) ([]*ActionRunJob, error) {
|
|
if attempt.ConcurrencyGroup == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
var jobsToCancel []*ActionRunJob
|
|
|
|
statusFindOption := []Status{StatusWaiting, StatusBlocked}
|
|
if attempt.ConcurrencyCancel {
|
|
statusFindOption = append(statusFindOption, StatusRunning)
|
|
statusFindOption = append(statusFindOption, StatusCancelling)
|
|
}
|
|
attempts, jobs, err := GetConcurrentRunAttemptsAndJobs(ctx, attempt.RepoID, attempt.ConcurrencyGroup, statusFindOption)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("find concurrent runs and jobs: %w", err)
|
|
}
|
|
jobsToCancel = append(jobsToCancel, jobs...)
|
|
|
|
// cancel runs in the same concurrency group
|
|
for _, concurrentAttempt := range attempts {
|
|
if concurrentAttempt.RunID == attempt.RunID {
|
|
continue
|
|
}
|
|
jobs, err := GetRunJobsByRunAndAttemptID(ctx, concurrentAttempt.RunID, concurrentAttempt.ID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("find run %d attempt %d jobs: %w", concurrentAttempt.RunID, concurrentAttempt.ID, err)
|
|
}
|
|
jobsToCancel = append(jobsToCancel, jobs...)
|
|
}
|
|
|
|
return CancelJobs(ctx, jobsToCancel)
|
|
}
|