mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-03 08:03:34 +00:00
## Summary This PR adds **scoped workflows** to Gitea Actions. Workflows defined centrally in a "source" repository that automatically run on every repository in scope: an organization's repositories, or (for instance admins) every repository on the instance. Each scoped run executes in the consuming repository's own context (its runners, secrets, and branch) while its content is read from the source repository, so an org or instance can mandate shared CI across many repositories without copying workflow files into each one. An owner or instance admin registers source repositories on a settings page and can mark individual workflows as **required**. A required scoped workflow cannot be opted out by a consuming repository and gates its pull-request merges; an optional one can be disabled per repository. Scoped workflows live under a dedicated `SCOPED_WORKFLOW_DIRS` (default `.gitea/scoped_workflows`), kept separate from regular `WORKFLOW_DIRS`. ## Main changes ### Configuration New `SCOPED_WORKFLOW_DIRS` setting, validated to not overlap with `WORKFLOW_DIRS`. Default: `.gitea/scoped_workflows` ### Data model & migration - New `action_scoped_workflow_source` table mapping a registering owner (`owner_id`, where `0` = instance-level) to a source repository, with a per-workflow `WorkflowConfigs` map. - `ActionRun` gains `WorkflowRepoID` / `WorkflowCommitSHA` (the pinned content source) and an `IsScopedRun` flag. ### Detection & run creation On consumer events, scoped workflows from the effective sources (the owner's own sources plus instance-level ones) are matched and turned into runs that execute in the consumer's context, with content pinned to the source repo's default-branch commit. `on: workflow_run` and `on: schedule` are currently not supported. ### Opt-out A consuming repository can disable an optional scoped workflow (tracked separately from regular `DisabledWorkflows`); required scoped workflows can never be disabled, opted out, or bypassed. ### Commit status A scoped run's status context format is `"<source repo full name>: <workflow display name> / <job> (<event>)"` (for example: `my-org/scoped-workflows: db-tests / test-sqlite (pull_request)`), keeping it distinct from a same-named repo-level workflow and from other sources. ### Required status checks Admins mark workflows required and supply status-check patterns. `EffectiveRequiredContexts` appends those patterns to the branch protection's required contexts and they are matched must-present-and-pass. If the status checks from scoped workflows fail, the PR cannot be merged. NOTE: scoped workflows' required status checks patterns can protect any target branch that has a protection rule, even though the rule's "Status Check" is disabled. A target branch with no protection rule cannot be protected. <details> <summary>Screenshots</summary> <img width="1400" alt="image" src="https://github.com/user-attachments/assets/a5d1db33-15ec-487e-93be-2bc04b4e6643" /> </details> ### Reusable workflows (`uses:`) A scoped workflow's local `uses: ./...` resolves against the source repository. `uses:` directory validation honors the instance-configurable `WORKFLOW_DIRS` and `SCOPED_WORKFLOW_DIRS` (previously hardcoded to `.gitea`/`.github/workflows`). ### Manual dispatch `workflow_dispatch` is supported for scoped workflows (web and API), resolving inputs/content from the source repo. ### Performance A process-local LRU cache keyed by source repo ID for the per-source workflow parse, so instance-level and owner-level sources don't open the source repo and parse workflow files on every event. ### UI Org / user / admin pages to register and remove sources, search repositories, and mark workflows required with their status-check patterns. The repository Actions sidebar groups scoped workflows by source with owner/instance labels and required/disabled badges. <details> <summary>Screenshots</summary> Scoped workflows setting page: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/9d19f667-97a5-4935-92b2-e53f105e3642" /> Consumer repo's Actions runs list: <img width="1600" alt="image" src="https://github.com/user-attachments/assets/a77241f9-0aa9-41aa-ba73-12a9a688cb64" /> - `Owner`: this is a owner-level scoped workflows source repo - `Global`: this is a global scoped workflows source repo - `Required`: this scoped workflow is required, repo admin cannot disable it </details> --- Docs: https://gitea.com/gitea/docs/pulls/447 --------- Co-authored-by: bircni <bircni@icloud.com>
407 lines
13 KiB
Go
407 lines
13 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package repository
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
actions_model "gitea.dev/models/actions"
|
|
activities_model "gitea.dev/models/activities"
|
|
admin_model "gitea.dev/models/admin"
|
|
"gitea.dev/models/db"
|
|
git_model "gitea.dev/models/git"
|
|
issues_model "gitea.dev/models/issues"
|
|
"gitea.dev/models/organization"
|
|
packages_model "gitea.dev/models/packages"
|
|
access_model "gitea.dev/models/perm/access"
|
|
project_model "gitea.dev/models/project"
|
|
repo_model "gitea.dev/models/repo"
|
|
secret_model "gitea.dev/models/secret"
|
|
system_model "gitea.dev/models/system"
|
|
user_model "gitea.dev/models/user"
|
|
"gitea.dev/models/webhook"
|
|
actions_module "gitea.dev/modules/actions"
|
|
"gitea.dev/modules/gitrepo"
|
|
"gitea.dev/modules/graceful"
|
|
"gitea.dev/modules/lfs"
|
|
"gitea.dev/modules/log"
|
|
"gitea.dev/modules/storage"
|
|
actions_service "gitea.dev/services/actions"
|
|
asymkey_service "gitea.dev/services/asymkey"
|
|
issue_service "gitea.dev/services/issue"
|
|
|
|
"xorm.io/builder"
|
|
)
|
|
|
|
func deleteDBRepository(ctx context.Context, repoID int64) error {
|
|
if cnt, err := db.GetEngine(ctx).ID(repoID).Delete(&repo_model.Repository{}); err != nil {
|
|
return err
|
|
} else if cnt != 1 {
|
|
return repo_model.ErrRepoNotExist{
|
|
ID: repoID,
|
|
OwnerName: "",
|
|
Name: "",
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DeleteRepository deletes a repository for a user or organization.
|
|
// make sure if you call this func to close open sessions (sqlite will otherwise get a deadlock)
|
|
func DeleteRepositoryDirectly(ctx context.Context, repoID int64, ignoreOrgTeams ...bool) error {
|
|
ctx, committer, err := db.TxContext(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer committer.Close()
|
|
sess := db.GetEngine(ctx)
|
|
|
|
repo := &repo_model.Repository{}
|
|
has, err := sess.ID(repoID).Get(repo)
|
|
if err != nil {
|
|
return err
|
|
} else if !has {
|
|
return repo_model.ErrRepoNotExist{
|
|
ID: repoID,
|
|
OwnerName: "",
|
|
Name: "",
|
|
}
|
|
}
|
|
|
|
// Query the action tasks of this repo, they will be needed after they have been deleted to remove the logs
|
|
tasks, err := db.Find[actions_model.ActionTask](ctx, actions_model.FindTaskOptions{RepoID: repoID})
|
|
if err != nil {
|
|
return fmt.Errorf("find actions tasks of repo %v: %w", repoID, err)
|
|
}
|
|
|
|
// Query the artifacts of this repo, they will be needed after they have been deleted to remove artifacts files in ObjectStorage
|
|
artifacts, err := db.Find[actions_model.ActionArtifact](ctx, actions_model.FindArtifactsOptions{RepoID: repoID})
|
|
if err != nil {
|
|
return fmt.Errorf("list actions artifacts of repo %v: %w", repoID, err)
|
|
}
|
|
|
|
// In case owner is a organization, we have to change repo specific teams
|
|
// if ignoreOrgTeams is not true
|
|
var org *user_model.User
|
|
if len(ignoreOrgTeams) == 0 || !ignoreOrgTeams[0] {
|
|
if org, err = user_model.GetUserByID(ctx, repo.OwnerID); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Delete Deploy Keys
|
|
deleted, err := asymkey_service.DeleteRepoDeployKeys(ctx, repoID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
needRewriteKeysFile := deleted > 0
|
|
|
|
if err := deleteDBRepository(ctx, repoID); err != nil {
|
|
return err
|
|
}
|
|
|
|
if org != nil && org.IsOrganization() {
|
|
teams, err := organization.FindOrgTeams(ctx, org.ID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, t := range teams {
|
|
if !organization.HasTeamRepo(ctx, t.OrgID, t.ID, repoID) {
|
|
continue
|
|
} else if err = removeRepositoryFromTeam(ctx, t, repo, false); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
attachments := make([]*repo_model.Attachment, 0, 20)
|
|
if err = sess.Join("INNER", "`release`", "`release`.id = `attachment`.release_id").
|
|
Where("`release`.repo_id = ?", repoID).
|
|
Find(&attachments); err != nil {
|
|
return err
|
|
}
|
|
releaseAttachments := make([]string, 0, len(attachments))
|
|
for i := 0; i < len(attachments); i++ {
|
|
releaseAttachments = append(releaseAttachments, attachments[i].RelativePath())
|
|
}
|
|
|
|
if _, err := db.Exec(ctx, "UPDATE `user` SET num_stars=num_stars-1 WHERE id IN (SELECT `uid` FROM `star` WHERE repo_id = ?)", repo.ID); err != nil {
|
|
return err
|
|
}
|
|
|
|
if _, err := db.GetEngine(ctx).In("hook_id", builder.Select("id").From("webhook").Where(builder.Eq{"webhook.repo_id": repo.ID})).
|
|
Delete(&webhook.HookTask{}); err != nil {
|
|
return err
|
|
}
|
|
|
|
// CleanupEphemeralRunnersByPickedTaskOfRepo deletes ephemeral global/org/user that have started any task of this repo
|
|
// The cannot pick a second task hardening for ephemeral runners expect that task objects remain available until runner deletion
|
|
// This method will delete affected ephemeral global/org/user runners
|
|
// &actions_model.ActionRunner{RepoID: repoID} does only handle ephemeral repository runners
|
|
if err := actions_service.CleanupEphemeralRunnersByPickedTaskOfRepo(ctx, repoID); err != nil {
|
|
return fmt.Errorf("cleanupEphemeralRunners: %w", err)
|
|
}
|
|
|
|
if err := db.DeleteBeans(ctx,
|
|
&access_model.Access{RepoID: repo.ID},
|
|
&activities_model.Action{RepoID: repo.ID},
|
|
&repo_model.Collaboration{RepoID: repoID},
|
|
&issues_model.Comment{RefRepoID: repoID},
|
|
&git_model.CommitStatus{RepoID: repoID},
|
|
&git_model.Branch{RepoID: repoID},
|
|
&git_model.LFSLock{RepoID: repoID},
|
|
&repo_model.LanguageStat{RepoID: repoID},
|
|
&repo_model.RepoLicense{RepoID: repoID},
|
|
&issues_model.Milestone{RepoID: repoID},
|
|
&repo_model.Mirror{RepoID: repoID},
|
|
&activities_model.Notification{RepoID: repoID},
|
|
&git_model.ProtectedBranch{RepoID: repoID},
|
|
&git_model.ProtectedTag{RepoID: repoID},
|
|
&repo_model.PushMirror{RepoID: repoID},
|
|
&repo_model.Release{RepoID: repoID},
|
|
&repo_model.RepoIndexerStatus{RepoID: repoID},
|
|
&repo_model.Redirect{RedirectRepoID: repoID},
|
|
&repo_model.RepoUnit{RepoID: repoID},
|
|
&repo_model.Star{RepoID: repoID},
|
|
&admin_model.Task{RepoID: repoID},
|
|
&repo_model.Watch{RepoID: repoID},
|
|
&webhook.Webhook{RepoID: repoID},
|
|
&secret_model.Secret{RepoID: repoID},
|
|
&actions_model.ActionTaskStep{RepoID: repoID},
|
|
&actions_model.ActionTask{RepoID: repoID},
|
|
&actions_model.ActionRunJob{RepoID: repoID},
|
|
&actions_model.ActionRun{RepoID: repoID},
|
|
&actions_model.ActionRunner{RepoID: repoID},
|
|
&actions_model.ActionScheduleSpec{RepoID: repoID},
|
|
&actions_model.ActionSchedule{RepoID: repoID},
|
|
&actions_model.ActionArtifact{RepoID: repoID},
|
|
&actions_model.ActionRunJobSummary{RepoID: repoID},
|
|
&actions_model.ActionRunnerToken{RepoID: repoID},
|
|
&actions_model.ActionScopedWorkflowSource{SourceRepoID: repoID},
|
|
&issues_model.IssuePin{RepoID: repoID},
|
|
); err != nil {
|
|
return fmt.Errorf("deleteBeans: %w", err)
|
|
}
|
|
|
|
// Delete Labels and related objects
|
|
if err := issues_model.DeleteLabelsByRepoID(ctx, repoID); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Delete Pulls and related objects
|
|
if err := issues_model.DeletePullsByBaseRepoID(ctx, repoID); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Delete Issues and related objects
|
|
var attachmentPaths []string
|
|
if attachmentPaths, err = issue_service.DeleteIssuesByRepoID(ctx, repoID); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Delete issue index
|
|
if err := db.DeleteResourceIndex(ctx, "issue_index", repoID); err != nil {
|
|
return err
|
|
}
|
|
|
|
if repo.IsFork {
|
|
if _, err := db.Exec(ctx, "UPDATE `repository` SET num_forks=num_forks-1 WHERE id=?", repo.ForkID); err != nil {
|
|
return fmt.Errorf("decrease fork count: %w", err)
|
|
}
|
|
}
|
|
|
|
if _, err := db.Exec(ctx, "UPDATE `user` SET num_repos=num_repos-1 WHERE id=?", repo.OwnerID); err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(repo.Topics) > 0 {
|
|
if err := repo_model.RemoveTopicsFromRepo(ctx, repo.ID); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err := project_model.DeleteProjectByRepoID(ctx, repoID); err != nil {
|
|
return fmt.Errorf("unable to delete projects for repo[%d]: %w", repoID, err)
|
|
}
|
|
|
|
// Remove LFS objects
|
|
var lfsObjects []*git_model.LFSMetaObject
|
|
if err = sess.Where("repository_id=?", repoID).Find(&lfsObjects); err != nil {
|
|
return err
|
|
}
|
|
|
|
lfsPaths := make([]string, 0, len(lfsObjects))
|
|
for _, v := range lfsObjects {
|
|
count, err := db.CountByBean(ctx, &git_model.LFSMetaObject{Pointer: lfs.Pointer{Oid: v.Oid}})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if count > 1 {
|
|
continue
|
|
}
|
|
|
|
lfsPaths = append(lfsPaths, v.RelativePath())
|
|
}
|
|
|
|
if _, err := db.DeleteByBean(ctx, &git_model.LFSMetaObject{RepositoryID: repoID}); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Remove archives
|
|
var archives []*repo_model.RepoArchiver
|
|
if err = sess.Where("repo_id=?", repoID).Find(&archives); err != nil {
|
|
return err
|
|
}
|
|
|
|
archivePaths := make([]string, 0, len(archives))
|
|
for _, v := range archives {
|
|
archivePaths = append(archivePaths, v.RelativePath())
|
|
}
|
|
|
|
if _, err := db.DeleteByBean(ctx, &repo_model.RepoArchiver{RepoID: repoID}); err != nil {
|
|
return err
|
|
}
|
|
|
|
if repo.NumForks > 0 {
|
|
if _, err = sess.Exec("UPDATE `repository` SET fork_id=0,is_fork=? WHERE fork_id=?", false, repo.ID); err != nil {
|
|
log.Error("reset 'fork_id' and 'is_fork': %v", err)
|
|
}
|
|
}
|
|
|
|
// Get all attachments with both issue_id and release_id are zero
|
|
var newAttachments []*repo_model.Attachment
|
|
if err := sess.Where(builder.Eq{
|
|
"repo_id": repo.ID,
|
|
"issue_id": 0,
|
|
"release_id": 0,
|
|
}).Find(&newAttachments); err != nil {
|
|
return err
|
|
}
|
|
|
|
newAttachmentPaths := make([]string, 0, len(newAttachments))
|
|
for _, attach := range newAttachments {
|
|
newAttachmentPaths = append(newAttachmentPaths, attach.RelativePath())
|
|
}
|
|
|
|
if _, err := sess.Where("repo_id=?", repo.ID).Delete(new(repo_model.Attachment)); err != nil {
|
|
return err
|
|
}
|
|
|
|
// unlink packages linked to this repository
|
|
if err = packages_model.UnlinkRepositoryFromAllPackages(ctx, repoID); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err = committer.Commit(); err != nil {
|
|
return err
|
|
}
|
|
|
|
committer.Close()
|
|
|
|
if needRewriteKeysFile {
|
|
if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {
|
|
log.Error("RewriteAllPublicKeys failed: %v", err)
|
|
}
|
|
}
|
|
|
|
// We should always delete the files after the database transaction succeed. If
|
|
// we delete the file but the database rollback, the repository will be broken.
|
|
|
|
// Remove repository files.
|
|
if err := gitrepo.DeleteRepository(ctx, repo); err != nil {
|
|
desc := fmt.Sprintf("Delete repository files (%s): %v", repo.FullName(), err)
|
|
if err = system_model.CreateNotice(graceful.GetManager().ShutdownContext(), system_model.NoticeRepository, desc); err != nil {
|
|
log.Error("CreateRepositoryNotice: %v", err)
|
|
}
|
|
}
|
|
|
|
// Remove wiki files if it exists.
|
|
if err := gitrepo.DeleteRepository(ctx, repo.WikiStorageRepo()); err != nil {
|
|
desc := fmt.Sprintf("Delete wiki repository files (%s): %v", repo.FullName(), err)
|
|
// Note we use the db.DefaultContext here rather than passing in a context as the context may be cancelled
|
|
if err = system_model.CreateNotice(graceful.GetManager().ShutdownContext(), system_model.NoticeRepository, desc); err != nil {
|
|
log.Error("CreateRepositoryNotice: %v", err)
|
|
}
|
|
}
|
|
|
|
// Remove archives
|
|
for _, archive := range archivePaths {
|
|
system_model.RemoveStorageWithNotice(ctx, storage.RepoArchives, "Delete repo archive file", archive)
|
|
}
|
|
|
|
// Remove lfs objects
|
|
for _, lfsObj := range lfsPaths {
|
|
system_model.RemoveStorageWithNotice(ctx, storage.LFS, "Delete orphaned LFS file", lfsObj)
|
|
}
|
|
|
|
// Remove issue attachment files.
|
|
for _, attachment := range attachmentPaths {
|
|
system_model.RemoveStorageWithNotice(ctx, storage.Attachments, "Delete issue attachment", attachment)
|
|
}
|
|
|
|
// Remove release attachment files.
|
|
for _, releaseAttachment := range releaseAttachments {
|
|
system_model.RemoveStorageWithNotice(ctx, storage.Attachments, "Delete release attachment", releaseAttachment)
|
|
}
|
|
|
|
// Remove attachment with no issue_id and release_id.
|
|
for _, newAttachment := range newAttachmentPaths {
|
|
system_model.RemoveStorageWithNotice(ctx, storage.Attachments, "Delete issue attachment", newAttachment)
|
|
}
|
|
|
|
if len(repo.Avatar) > 0 {
|
|
if err := storage.RepoAvatars.Delete(repo.CustomAvatarRelativePath()); err != nil {
|
|
log.Error("remove avatar file %q: %v", repo.CustomAvatarRelativePath(), err)
|
|
// go on
|
|
}
|
|
}
|
|
|
|
// Finally, delete action logs after the actions have already been deleted to avoid new log files
|
|
for _, task := range tasks {
|
|
err := actions_module.RemoveLogs(ctx, task.LogInStorage, task.LogFilename)
|
|
if err != nil {
|
|
log.Error("remove log file %q: %v", task.LogFilename, err)
|
|
// go on
|
|
}
|
|
}
|
|
|
|
// delete actions artifacts in ObjectStorage after the repo have already been deleted
|
|
for _, art := range artifacts {
|
|
if err := storage.ActionsArtifacts.Delete(art.StoragePath); err != nil {
|
|
log.Error("remove artifact file %q: %v", art.StoragePath, err)
|
|
// go on
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// DeleteOwnerRepositoriesDirectly calls DeleteRepositoryDirectly for all repos of the given owner
|
|
func DeleteOwnerRepositoriesDirectly(ctx context.Context, owner *user_model.User) error {
|
|
for {
|
|
repos, _, err := repo_model.GetUserRepositories(ctx, repo_model.SearchRepoOptions{
|
|
ListOptions: db.ListOptions{
|
|
PageSize: repo_model.RepositoryListDefaultPageSize,
|
|
Page: 1,
|
|
},
|
|
Private: true,
|
|
OwnerID: owner.ID,
|
|
Actor: owner,
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("GetUserRepositories: %w", err)
|
|
}
|
|
if len(repos) == 0 {
|
|
break
|
|
}
|
|
for _, repo := range repos {
|
|
if err := DeleteRepositoryDirectly(ctx, repo.ID); err != nil {
|
|
return fmt.Errorf("unable to delete repository %s for %s[%d]. Error: %w", repo.Name, owner.Name, owner.ID, err)
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|