document the secret and how it is different from the token

This commit is contained in:
Earl Warren 2023-09-04 18:19:15 +02:00 committed by earl-warren
parent b1bfa4968e
commit a379783994
4 changed files with 34 additions and 12 deletions

View file

@ -28,6 +28,8 @@ jobs:
run: | run: |
set -x set -x
cd examples/docker-compose cd examples/docker-compose
secret=$(openssl rand -hex 20)
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml" cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml"
# #
# Launch # Launch

View file

@ -8,6 +8,20 @@ used by the `Forgejo runner` to execute the workflows.
### Running ### Running
Create a shared secret with:
```sh
openssl rand -hex 20
```
Replace all occurences of {SHARED_SECRET} in
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
> **NOTE:** a token obtained from the Forgejo web interface cannot be used as a shared secret.
Replace {ROOT_PASSWORD} with a secure password in
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
```sh ```sh
docker-compose -f compose-forgejo-and-runner.yml up docker-compose -f compose-forgejo-and-runner.yml up
Creating docker-compose_docker-in-docker_1 ... done Creating docker-compose_docker-in-docker_1 ... done
@ -27,17 +41,10 @@ To login the Forgejo instance:
* URL: http://0.0.0.0:8080 * URL: http://0.0.0.0:8080
* user: root * user: root
* password: admin1234 * password: {ROOT_PASSWORD}
`Forgejo Actions` is enabled by default when creating a repository. `Forgejo Actions` is enabled by default when creating a repository.
### Security
This is a demo and **must not be used in production** because:
* the runner secret is hardcoded
* the admin password is hardcoded to admin1234
## Tests workflow ## Tests workflow
The `compose-demo-workflow.yml` compose file runs a demo workflow to The `compose-demo-workflow.yml` compose file runs a demo workflow to

View file

@ -25,7 +25,7 @@ services:
git config user.name username ; git config user.name username ;
git commit -m 'demo' ; git commit -m 'demo' ;
while : ; do while : ; do
git push --set-upstream --force http://root:admin1234@forgejo:3000/root/test main && break ; git push --set-upstream --force http://root:{ROOT_PASSWORD}@forgejo:3000/root/test main && break ;
sleep 5 ; sleep 5 ;
done ; done ;
sha=`git rev-parse HEAD` ; sha=`git rev-parse HEAD` ;

View file

@ -1,6 +1,19 @@
# Copyright 2023 The Forgejo Authors. # Copyright 2023 The Forgejo Authors.
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
#
# Create a secret with:
#
# openssl rand -hex 20
#
# Replace all occurences of {SHARED_SECRET} below with the output.
#
# NOTE: a token obtained from the Forgejo web interface cannot be used
# as a shared secret.
#
# Replace {ROOT_PASSWORD} with a secure password
#
version: "3" version: "3"
services: services:
@ -16,8 +29,8 @@ services:
bash -c ' bash -c '
/bin/s6-svscan /etc/s6 & /bin/s6-svscan /etc/s6 &
sleep 10 ; sleep 10 ;
su -c "forgejo forgejo-cli actions register --secret e3359786173a7aeb3818c19637479c5dbd7c5abb --labels docker --version 3.0.0" git ; su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels docker --version 3.0.0" git ;
su -c "forgejo admin user create --admin --username root --password admin1234 --email root@example.com" git ; su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
sleep infinity sleep infinity
' '
environment: environment:
@ -45,7 +58,7 @@ services:
command: >- command: >-
bash -c ' bash -c '
while : ; do while : ; do
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret e3359786173a7aeb3818c19637479c5dbd7c5abb && break ; forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
sleep 1 ; sleep 1 ;
done ; done ;
forgejo-runner generate-config > config.yml ; forgejo-runner generate-config > config.yml ;