fd7c8580af
You can currently expose the token to jobs even while using docker in docker `-e GITEA_RUNNER_REGISTRATION_TOKEN` tells the docker client of act to read GITEA_RUNNER_REGISTRATION_TOKEN from the process and now it can be stolen. Reviewed-on: https://gitea.com/gitea/act_runner/pulls/188 Reviewed-by: Jason Song <i@wolfogre.com> Co-authored-by: ChristopherHX <christopherhx@noreply.gitea.io> Co-committed-by: ChristopherHX <christopherhx@noreply.gitea.io>
48 lines
1.3 KiB
Bash
Executable File
48 lines
1.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
if [[ ! -d /data ]]; then
|
|
mkdir -p /data
|
|
fi
|
|
|
|
cd /data
|
|
|
|
CONFIG_ARG=""
|
|
if [[ ! -z "${CONFIG_FILE}" ]]; then
|
|
CONFIG_ARG="--config ${CONFIG_FILE}"
|
|
fi
|
|
|
|
# Use the same ENV variable names as https://github.com/vegardit/docker-gitea-act-runner
|
|
|
|
if [[ ! -s .runner ]]; then
|
|
try=$((try + 1))
|
|
success=0
|
|
|
|
# The point of this loop is to make it simple, when running both act_runner and gitea in docker,
|
|
# for the act_runner to wait a moment for gitea to become available before erroring out. Within
|
|
# the context of a single docker-compose, something similar could be done via healthchecks, but
|
|
# this is more flexible.
|
|
while [[ $success -eq 0 ]] && [[ $try -lt ${GITEA_MAX_REG_ATTEMPTS:-10} ]]; do
|
|
act_runner register \
|
|
--instance "${GITEA_INSTANCE_URL}" \
|
|
--token "${GITEA_RUNNER_REGISTRATION_TOKEN}" \
|
|
--name "${GITEA_RUNNER_NAME:-`hostname`}" \
|
|
--labels "${GITEA_RUNNER_LABELS}" \
|
|
${CONFIG_ARG} --no-interactive > /tmp/reg.log 2>&1
|
|
|
|
cat /tmp/reg.log
|
|
|
|
cat /tmp/reg.log | grep 'Runner registered successfully' > /dev/null
|
|
if [[ $? -eq 0 ]]; then
|
|
echo "SUCCESS"
|
|
success=1
|
|
else
|
|
echo "Waiting to retry ..."
|
|
sleep 5
|
|
fi
|
|
done
|
|
fi
|
|
# Prevent reading the token from the act_runner process
|
|
unset GITEA_RUNNER_REGISTRATION_TOKEN
|
|
|
|
act_runner daemon ${CONFIG_ARG}
|