Merge pull request 'secure the docker-compose example and explain the difference with the token' (#77) from earl-warren/runner:wip-docs into main

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/77
This commit is contained in:
dachary 2023-09-30 14:19:49 +00:00
commit 8e93b0e8e8
4 changed files with 34 additions and 12 deletions

View file

@ -28,6 +28,8 @@ jobs:
run: |
set -x
cd examples/docker-compose
secret=$(openssl rand -hex 20)
sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml"
#
# Launch

View file

@ -8,6 +8,20 @@ used by the `Forgejo runner` to execute the workflows.
### Running
Create a shared secret with:
```sh
openssl rand -hex 20
```
Replace all occurences of {SHARED_SECRET} in
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
> **NOTE:** a token obtained from the Forgejo web interface cannot be used as a shared secret.
Replace {ROOT_PASSWORD} with a secure password in
[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
```sh
docker-compose -f compose-forgejo-and-runner.yml up
Creating docker-compose_docker-in-docker_1 ... done
@ -27,17 +41,10 @@ To login the Forgejo instance:
* URL: http://0.0.0.0:8080
* user: root
* password: admin1234
* password: {ROOT_PASSWORD}
`Forgejo Actions` is enabled by default when creating a repository.
### Security
This is a demo and **must not be used in production** because:
* the runner secret is hardcoded
* the admin password is hardcoded to admin1234
## Tests workflow
The `compose-demo-workflow.yml` compose file runs a demo workflow to

View file

@ -25,7 +25,7 @@ services:
git config user.name username ;
git commit -m 'demo' ;
while : ; do
git push --set-upstream --force http://root:admin1234@forgejo:3000/root/test main && break ;
git push --set-upstream --force http://root:{ROOT_PASSWORD}@forgejo:3000/root/test main && break ;
sleep 5 ;
done ;
sha=`git rev-parse HEAD` ;

View file

@ -1,6 +1,19 @@
# Copyright 2023 The Forgejo Authors.
# SPDX-License-Identifier: MIT
#
# Create a secret with:
#
# openssl rand -hex 20
#
# Replace all occurences of {SHARED_SECRET} below with the output.
#
# NOTE: a token obtained from the Forgejo web interface cannot be used
# as a shared secret.
#
# Replace {ROOT_PASSWORD} with a secure password
#
version: "3"
services:
@ -16,8 +29,8 @@ services:
bash -c '
/bin/s6-svscan /etc/s6 &
sleep 10 ;
su -c "forgejo forgejo-cli actions register --secret e3359786173a7aeb3818c19637479c5dbd7c5abb --labels docker --version 3.0.0" git ;
su -c "forgejo admin user create --admin --username root --password admin1234 --email root@example.com" git ;
su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels docker --version 3.0.0" git ;
su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
sleep infinity
'
environment:
@ -45,7 +58,7 @@ services:
command: >-
bash -c '
while : ; do
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret e3359786173a7aeb3818c19637479c5dbd7c5abb && break ;
forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
sleep 1 ;
done ;
forgejo-runner generate-config > config.yml ;