search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
43.26k stars 5.32k forks source link

env: GIT_SSL_NO_VERIFY doesn't pass along to the container environment #31396

Open i2000s opened 1 month ago

i2000s commented 1 month ago

Description

I was trying to use Gitea Action Runner to implement a document building process. But whenever I want to use actions/checkout@v2 from github, it always fails to set up the job environment. The core error is 

Extracting content to '/var/run/act/'
  ☁  git clone 'https://github.com/actions/checkout' # ref=v2
  cloning https://github.com/actions/checkout to /home/***/.cache/act/actions-checkout@v2
Unable to clone https://github.com/actions/checkout refs/heads/v2: Get "https://github.com/actions/checkout/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority

Therefore, I have tried to set up GIT_SSL_NO_VERIFY = true for the docker image to be loaded. But this variable doesn't seem to be passed along to the workflow. I have tried to include this variable setting in /etc/systemd/system/act_runner.service, as well as in my .gitea/workflow/build.yml file. For the later case, I have the following setting:

name: Build and deploy document

on:
  push:
    branches:
      - master

env:
  BARE_REPO_DIR: /var/lib/gitea/data/gitea-repositories/pma/pma-mil.git
  CLONED_REPO_DIR: /var/lib/gitea/data/gitea-repositories/pma/pma-mil
  DEPLOYED_DIR: /var/www/html/PMA/PMA-MIL
  GIT_SSL_NO_VERIFY: true

jobs:
  build:
    name: Build documentation
    runs-on: ubuntu-22.04
    container:
      env:
        GIT_SSL_NO_VERIFY: true
    steps:
      - name: setup git and proxy
        run: |
          apt-get update
          apt-get install git
          git config --global http.proxy http://${{ secrets.PROXY_USER }}:${{ secrets.PROXY_PASSWORD }}@proxyhk.huawei.com:8080
          git config --global https.proxy http://${{ secrets.PROXY_USER }}:${{ secrets.PROXY_PASSWORD }}@proxyhk.huawei.com:8080

      - name: Checkout code
        uses: actions/checkout@v2
        env:
          GIT_TRACE: 1
          GIT_CURL_VERBOSE: 1
        with:
          ref: ${{ github.ref }}

But in the runner's log, I cannot find anywhere that GIT_SSL_NO_VERIFY is set up. Also, even though I have set RUNNER_TOOL_CACHE: /toolcache, but in the log, that variable is still set to its default value at /opt/hostedtoolcache ...

See the log below:

132_action_runner(version:v0.2.10) received task 52 of job 44, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
🚀  Start image=gitea/runner-images:ubuntu-[2](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-2)2.04
  🐳  docker pull image=gitea/runner-images:ubuntu-22.04 platform= username= forcePull=false
  🐳  docker pull gitea/runner-images:ubuntu-22.04
Image exists? true
Cleaning up network for job Build documentation, and network name is: GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-build-network
  🐳  docker create image=gitea/runner-images:ubuntu-22.04 platform= entrypoint=["/bin/sleep" "10800"] cmd=[] network="GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-build-network"
Custom container.Config from options ==> &{Hostname: Domainname: User: AttachStdin:false AttachStdout:true AttachStderr:true ExposedPorts:map[] Tty:false OpenStdin:false StdinOnce:false Env:[] Cmd:[] Healthcheck:<nil> ArgsEscaped:false Image: Volumes:map[] WorkingDir: Entrypoint:[] NetworkDisabled:false MacAddress: OnBuild:[] Labels:map[] StopSignal: StopTimeout:<nil> Shell:[]}
Merged container.Config ==> &{Hostname: Domainname: User: AttachStdin:false AttachStdout:true AttachStderr:true ExposedPorts:map[] Tty:false OpenStdin:false StdinOnce:false Env:[RUNNER_TOOL_CACHE=/opt/hostedtoolcache RUNNER_OS=Linux RUNNER_ARCH=X64 RUNNER_TEMP=/tmp LANG=C.UTF-8] Cmd:[] Healthcheck:<nil> ArgsEscaped:false Image:gitea/runner-images:ubuntu-22.04 Volumes:map[] WorkingDir:/workspace/PMA/PMA-MIL Entrypoint:[/bin/sleep 10800] NetworkDisabled:false MacAddress: OnBuild:[] Labels:map[] StopSignal: StopTimeout:<nil> Shell:[]}
Custom container.HostConfig from options ==> &{Binds:[] ContainerIDFile: LogConfig:{Type: Config:map[]} NetworkMode:GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-build-network PortBindings:map[] RestartPolicy:{Name:no MaximumRetryCount:0} AutoRemove:false VolumeDriver: VolumesFrom:[] ConsoleSize:[0 0] Annotations:map[] CapAdd:[] CapDrop:[] CgroupnsMode: DNS:[] DNSOptions:[] DNSSearch:[] ExtraHosts:[] GroupAdd:[] IpcMode: Cgroup: Links:[] OomScoreAdj:0 PidMode: Privileged:false PublishAllPorts:false ReadonlyRootfs:false SecurityOpt:[] StorageOpt:map[] Tmpfs:map[] UTSMode: UsernsMode: ShmSize:0 Sysctls:map[] Runtime: Isolation: Resources:{CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DeviceCgroupRules:[] DeviceRequests:[] KernelMemory:0 KernelMemoryTCP:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc000670940 OomKillDisable:0xc0006708[3](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-3)b PidsLimit:0xc0006709a0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0} Mounts:[] MaskedPaths:[] ReadonlyPaths:[] Init:<nil>}
--network and --net in the options will be ignored.
Merged container.HostConfig ==> &{Binds:[/var/run/docker.sock:/var/run/docker.sock] ContainerIDFile: LogConfig:{Type: Config:map[]} NetworkMode:GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-build-network PortBindings:map[] RestartPolicy:{Name:no MaximumRetryCount:0} AutoRemove:true VolumeDriver: VolumesFrom:[] ConsoleSize:[0 0] Annotations:map[] CapAdd:[] CapDrop:[] CgroupnsMode: DNS:[] DNSOptions:[] DNSSearch:[] ExtraHosts:[] GroupAdd:[] IpcMode: Cgroup: Links:[] OomScoreAdj:0 PidMode: Privileged:true PublishAllPorts:false ReadonlyRootfs:false SecurityOpt:[] StorageOpt:map[] Tmpfs:map[] UTSMode: UsernsMode: ShmSize:0 Sysctls:map[] Runtime: Isolation: Resources:{CPUShares:0 Memory:0 NanoCPUs:0 CgroupParent: BlkioWeight:0 BlkioWeightDevice:[] BlkioDeviceReadBps:[] BlkioDeviceWriteBps:[] BlkioDeviceReadIOps:[] BlkioDeviceWriteIOps:[] CPUPeriod:0 CPUQuota:0 CPURealtimePeriod:0 CPURealtimeRuntime:0 CpusetCpus: CpusetMems: Devices:[] DeviceCgroupRules:[] DeviceRequests:[] KernelMemory:0 KernelMemoryTCP:0 MemoryReservation:0 MemorySwap:0 MemorySwappiness:0xc0006709[4](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-4)0 OomKillDisable:0xc00067083b PidsLimit:0xc0006709a0 Ulimits:[] CPUCount:0 CPUPercent:0 IOMaximumIOps:0 IOMaximumBandwidth:0} Mounts:[{Type:volume Source:act-toolcache Target:/opt/hostedtoolcache ReadOnly:false Consistency: BindOptions:<nil> VolumeOptions:<nil> TmpfsOptions:<nil> ClusterOptions:<nil>} {Type:volume Source:GITEA-ACTIONS-TASK-[5](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-5)2_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-env Target:/var/run/act ReadOnly:false Consistency: BindOptions:<nil> VolumeOptions:<nil> TmpfsOptions:<nil> ClusterOptions:<nil>} {Type:volume Source:GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation Target:/workspace/PMA/PMA-MIL ReadOnly:false Consistency: BindOptions:<nil> VolumeOptions:<nil> TmpfsOptions:<nil> ClusterOptions:<nil>}] MaskedPaths:[] ReadonlyPaths:[] Init:<nil>}
Created container name=GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation id=09[6](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-6)4ebda47b41f8f806205e0a29ee791bcaf9effbe2bd96be9b20608cad83c15 from image gitea/runner-images:ubuntu-22.04 (platform: )
ENV ==> [RUNNER_TOOL_CACHE=/opt/hostedtoolcache RUNNER_OS=Linux RUNNER_ARCH=X64 RUNNER_TEMP=/tmp LANG=C.UTF-8]
  🐳  docker run image=gitea/runner-images:ubuntu-22.04 platform= entrypoint=["/bin/sleep" "10800"] cmd=[] network="GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-build-network"
Starting container: 0964ebda4[7](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-7)b41f8f806205e0a29ee791bcaf9effbe2bd96be9b20608cad[8](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-8)3c15
Started container: 0[9](http://10.50.90.132:3000/PMA/PMA-MIL/actions/runs/24#jobstep-0-9)64ebda47b41f8f806205e0a29ee791bcaf9effbe2bd96be9b20608cad83c15
Writing entry to tarball workflow/event.json len:4433
Writing entry to tarball workflow/envs.txt len:0
Extracting content to '/var/run/act/'
  ☁  git clone 'https://github.com/actions/checkout' # ref=v2
  cloning https://github.com/actions/checkout to /home/***/.cache/act/actions-checkout@v2
Unable to clone https://github.com/actions/checkout refs/heads/v2: Get "https://github.com/actions/checkout/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority
Get "https://github.com/actions/checkout/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority
skipping post step for 'Deploy to server'; step was not executed
skipping post step for 'Set up Python'; step was not executed
skipping post step for 'Checkout code'; step was not executed
Cleaning up container for job Build documentation
Removed container: 0964ebda47b41f8f806205e0a29ee791bcaf9effbe2bd96be9b20608cad83c15
  🐳  docker volume rm GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation
  🐳  docker volume rm GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-env
Cleaning up network for job Build documentation, and network name is: GITEA-ACTIONS-TASK-52_WORKFLOW-Build-and-deploy-document_JOB-Build-documentation-build-network
🏁  Job failed
Get "https://github.com/actions/checkout/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority

So, how to make environment variables pass along to the container, and how to make git clone work in this case? I believe there is a bug.

Gitea Version

1.21.4

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

2.41.0

Operating System

CentOS 7.9

How are you running Gitea?

Run Gitea from binary, and Action Runner from a binary. Host everything on a centOS server.

Database

None

techknowlogick commented 4 weeks ago

Thanks for the report! While this suggestion possibly won't affect anything, could you try bumping the checkout action to v4? Could you also try setting the env you want on the checkout it step itself?