-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support actions/upload-artifact@v4, actions/download-artifact@v4 #28853
Comments
Could be helpful: nektos/act#2135 I have had already reverse engineered this to run locally. Currently we would also have to patch away the GHES not supported flag in the client code to actually test it via gitea. |
Does Gitea Allow JWT Auth already? I'm not that familar with Gitea's Server Code. The old artifacts v3 backend uses some sort of PAT token. GitHub reads the scp claim of the ACTIONS_RUNTIME_TOKEN as jwt or throws |
I'm trying to transist the ACTIONS_RUNTIME_TOKEN to jwt in #28885 using a backward compatible way. Requires runner changes. In case you wonder why this is needed here the error message
After this change to both runner and server, we get
assigning |
Uploading POC works for me locally using further Gitea changes on:
push:
jobs:
_0:
runs-on: self-hosted
steps:
- run: env
- run: |
github:
${{ tojson(github) }}
inputs:
${{ tojson(inputs) }}
matrix:
${{ tojson(matrix) }}
needs:
${{ tojson(needs) }}
strategy:
${{ tojson(strategy) }}
shell: cp {0} context.txt
- uses: christopherhx/gitea-upload-artifact@v4
with:
name: test
path: context.txt ChristopherHX/gitea@jwt-based-actions-runtime-token...ChristopherHX:gitea:gitea-artifacts-v4 Until finished, I'm not yet open a PR. Just for your information of the current state.
I don't like how GitHub blocks GHES using hardcoded asserts, until they support them officially Download artifact now working as well....... |
This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to #28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471>
This change allows act_runner / actions_runner to use jwt tokens for `ACTIONS_RUNTIME_TOKEN` that are compatible with actions/upload-artifact@v4. The official Artifact actions are now validating and extracting the jwt claim scp to get the runid and jobid, the old artifact backend also needs to accept the same token jwt. --- Related to go-gitea#28853 I'm not familar with the auth system, maybe you know how to improve this I have tested - the jwt token is a valid token for artifact uploading - the jwt token can be parsed by actions/upload-artifact@v4 and passes their scp claim validation Next steps would be a new artifacts@v4 backend. ~~I'm linking the act_runner change soonish.~~ act_runner change to make the change effective and use jwt tokens <https://gitea.com/gitea/act_runner/pulls/471>
Fixes #28853 Needs both https://gitea.com/gitea/act_runner/pulls/473 and https://gitea.com/gitea/act_runner/pulls/471 on the runner side and patched `actions/upload-artifact@v4` / `actions/download-artifact@v4`, like `christopherhx/gitea-upload-artifact@v4` and `christopherhx/gitea-download-artifact@v4`, to not return errors due to GHES not beeing supported yet.
Feature Description
The v4 has a different protocol than before.
Screenshots
No response
The text was updated successfully, but these errors were encountered: