From d867b25e72b940728f82327925d474ecd68a3256 Mon Sep 17 00:00:00 2001 From: Andreas Ahlenstorf Date: Fri, 1 May 2026 22:07:22 +0200 Subject: [PATCH] chore: replace `github.com/robfig/cron/v3` (#12365) github.com/robfig/cron is used for parsing cron schedules of scheduled Forgejo Actions workflows. It has not seen an update in roughly six years and looks abandoned. There are multiple code paths that trigger panics instead of errors. It is replaced by github.com/gdgvda/cron, which is one of the few maintained forks. github.com/gdgvda/cron was picked because its behaviour is fully backwards-compatible and the developers are responsive. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12365 Reviewed-by: limiting-factor Reviewed-by: Gusted --- assets/go-licenses.json | 5 +++++ go.mod | 3 ++- go.sum | 2 ++ models/actions/schedule_spec.go | 15 ++++++--------- services/actions/schedule_tasks.go | 2 +- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/assets/go-licenses.json b/assets/go-licenses.json index 330b5cbed6..41b1135033 100644 --- a/assets/go-licenses.json +++ b/assets/go-licenses.json @@ -549,6 +549,11 @@ "path": "github.com/fxamacker/cbor/v2/LICENSE", "licenseText": "MIT License\n\nCopyright (c) 2019-present Faye Amacker\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE." }, + { + "name": "github.com/gdgvda/cron", + "path": "github.com/gdgvda/cron/LICENSE", + "licenseText": "Copyright (C) 2012 Rob Figueiredo\nAll Rights Reserved.\n\nMIT LICENSE\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" + }, { "name": "github.com/gliderlabs/ssh", "path": "github.com/gliderlabs/ssh/LICENSE", diff --git a/go.mod b/go.mod index fbd61df592..3813849121 100644 --- a/go.mod +++ b/go.mod @@ -42,6 +42,7 @@ require ( github.com/emersion/go-imap v1.2.1 github.com/felixge/fgprof v0.9.5 github.com/fsnotify/fsnotify v1.9.0 + github.com/gdgvda/cron v0.7.0 github.com/gliderlabs/ssh v0.3.8 github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77 @@ -88,7 +89,6 @@ require ( github.com/pquerna/otp v1.5.0 github.com/prometheus/client_golang v1.21.1 github.com/redis/go-redis/v9 v9.17.3 - github.com/robfig/cron/v3 v3.0.1 github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 github.com/sergi/go-diff v1.4.0 github.com/stretchr/testify v1.11.1 @@ -238,6 +238,7 @@ require ( github.com/prometheus/procfs v0.15.1 // indirect github.com/rhysd/actionlint v1.7.10 // indirect github.com/rivo/uniseg v0.4.7 // indirect + github.com/robfig/cron/v3 v3.0.1 // indirect github.com/rs/xid v1.6.0 // indirect github.com/sirupsen/logrus v1.9.4 // indirect github.com/sorairolake/lzip-go v0.3.8 // indirect diff --git a/go.sum b/go.sum index 2641bb63ff..34aa5f4f7a 100644 --- a/go.sum +++ b/go.sum @@ -253,6 +253,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ= github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/gdgvda/cron v0.7.0 h1:LFPZUTbCb5ZpzYxavbQDDbjd6nwTwkiNUWyulOdlY2I= +github.com/gdgvda/cron v0.7.0/go.mod h1:caBF+mzTZGtQqFE05T1m6u9OmCASY3EK51XAICf3wio= github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc h1:yLe7YJhK+XNjNV4SqDxAjpWAgft+KU+XwKZS4AKEUV0= github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc/go.mod h1:jUs8eczo1EAT4ByRpZ4mQmNvjarw9eNf7Nm5udpMRhY= github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 h1:tV+3kZgqFMKVUf+JPKBV400ISM8440+6y/SQCS0WZwQ= diff --git a/models/actions/schedule_spec.go b/models/actions/schedule_spec.go index bcaee8bd6f..864fb5e2db 100644 --- a/models/actions/schedule_spec.go +++ b/models/actions/schedule_spec.go @@ -13,7 +13,7 @@ import ( "forgejo.org/modules/optional" "forgejo.org/modules/timeutil" - "github.com/robfig/cron/v3" + "github.com/gdgvda/cron" ) // ActionScheduleSpec represents a schedule spec of a workflow file @@ -53,16 +53,14 @@ func NewActionScheduleSpec(cron string, tz optional.Option[string], referenceTim // Parse parses the spec and returns a cron.Schedule // Unlike the default cron parser, Parse uses UTC timezone as the default if none is specified. func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) { - parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor) - schedule, err := parser.Parse(s.Spec) + parser, err := cron.NewDefaultParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor) if err != nil { return nil, err } - specSchedule, ok := schedule.(*cron.SpecSchedule) - // If it's not a spec schedule, like "@every 5m", timezone is not relevant - if !ok { - return schedule, nil + schedule, err := parser.Parse(s.Spec) + if err != nil { + return nil, err } // If `timezone` is not defined in the workflow, but the spec includes a timezone, use it. @@ -81,8 +79,7 @@ func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) { location = time.UTC } - specSchedule.Location = location - return specSchedule, nil + return schedule.WithLocation(location), nil } func init() { diff --git a/services/actions/schedule_tasks.go b/services/actions/schedule_tasks.go index 4c9de4d7f6..fab9ae8df5 100644 --- a/services/actions/schedule_tasks.go +++ b/services/actions/schedule_tasks.go @@ -22,7 +22,7 @@ import ( "code.forgejo.org/forgejo/runner/v12/act/jobparser" act_model "code.forgejo.org/forgejo/runner/v12/act/model" - "github.com/robfig/cron/v3" + "github.com/gdgvda/cron" "xorm.io/builder" )