feat: implement ephemeral runners (#9962)

As described in [this comment](https://gitea.com/gitea/act_runner/issues/19#issuecomment-739221) one-job runners are not secure when running in host mode. We implemented a routine preventing runner tokens from receiving a second job in order to render a potentially compromised token useless. Also we implemented a routine that removes finished runners as soon as possible. Big thanks to [ChristopherHX](https://github.com/ChristopherHX) who did all the work for gitea! Rel: #9407 ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9962 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Manuel Ganter <manuel.ganter@think-ahead.tech> Co-committed-by: Manuel Ganter <manuel.ganter@think-ahead.tech>
2026-05-12 22:10:25 +00:00 · 2026-02-16 18:56:56 +01:00 · 2026-02-16 18:56:56 +01:00 · 5b6bbabd74
commit 5b6bbabd74
parent b085be779c
33 changed files with 1130 additions and 41 deletions
--- a/cmd/forgejo/actions.go
+++ b/cmd/forgejo/actions.go
@ -102,6 +102,11 @@ func SubcmdActionsRegister(ctx context.Context) *cli.Command {
 				Value: "",
 				Usage: "version of the runner (not required since v1.21)",
 			},
+			&cli.BoolFlag{
+				Name:  "ephemeral",
+				Value: false,
+				Usage: "instruct Forgejo to permanently unregister this runner after it has run one job",
+			},
 		},
 	}
 }
@ -172,6 +177,7 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 	scope := cli.String("scope")
 	name := cli.String("name")
 	version := cli.String("version")
+	ephemeral := cli.Bool("ephemeral")
 	labels, err := getLabels(cli)
 	if err != nil {
 		return err
@ -199,7 +205,7 @@ func RunRegister(ctx context.Context, cli *cli.Command) error {
 		return err
 	}

-	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version)
+	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version, ephemeral)
 	if err != nil {
 		return fmt.Errorf("error while registering runner: %v", err)
 	}