Skip to content

Add instance-level secrets #27725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add instance-level secrets #27725

wants to merge 1 commit into from

Conversation

@jbgomond
Copy link
Contributor

@jbgomond jbgomond commented Oct 21, 2023
edited by lunny
Loading

This PR adds instance-level secrets, and so closes #27373.

I did the implementation next to the current secrets code. I was wondering though if it was intentional that the code was outside the action files or legacy ? (it's out of the scope of this PR, but I was wondering)

image

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 21, 2023
@github-actions github-actions bot added modifies/translation modifies/api This PR adds API routes or modifies them modifies/migrations labels Oct 21, 2023
@jbgomond jbgomond force-pushed the feature/instance-secrets branch from ba6d1ea to 908834a Compare October 21, 2023 21:58
@go-gitea go-gitea deleted a comment from GiteaBot Oct 22, 2023
@jbgomond jbgomond force-pushed the feature/instance-secrets branch from 908834a to 2403ceb Compare October 22, 2023 03:18
lunny
lunny reviewed Oct 22, 2023
View reviewed changes
lunny
lunny reviewed Oct 22, 2023
View reviewed changes
@jbgomond jbgomond force-pushed the feature/instance-secrets branch from 2403ceb to 921bc07 Compare October 22, 2023 14:40
@jbgomond jbgomond requested a review from lunny October 27, 2023 23:03
lunny
lunny reviewed Oct 29, 2023
View reviewed changes
@jbgomond jbgomond force-pushed the feature/instance-secrets branch 2 times, most recently from 88ef9f1 to 15d6d7c Compare October 29, 2023 10:02
@jbgomond jbgomond mentioned this pull request Oct 29, 2023
Merged
@jbgomond jbgomond changed the title Added instance-level secrets Add instance-level secrets Oct 29, 2023
KN4CK3R pushed a commit that referenced this pull request Oct 29, 2023
@jbgomond
Fix bad method call when deleting user secrets via API (#27829)
641e816 
Fixed a little mistake when you deleting user secrets via the API. Found
it when working on #27725.
It should be backported to 1.21 I think.
@GiteaBot GiteaBot mentioned this pull request Oct 29, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Oct 29, 2023
@jbgomond @GiteaBot
Fix bad method call when deleting user secrets via API (go-gitea#27829)
e2eed09 
Fixed a little mistake when you deleting user secrets via the API. Found
it when working on go-gitea#27725.
It should be backported to 1.21 I think.
lunny pushed a commit that referenced this pull request Oct 29, 2023
@GiteaBot @jbgomond
Fix bad method call when deleting user secrets via API (#27829) (#27831)
25bc3d5 
Backport #27829 by @jbgomond

Fixed a little mistake when you deleting user secrets via the API. Found
it when working on #27725.
It should be backported to 1.21 I think.

Co-authored-by: Jean-Baptiste Gomond <[email protected]>
@lunny lunny added this to the 1.22.0 milestone Oct 29, 2023
lunny
lunny reviewed Oct 29, 2023
View reviewed changes
@jbgomond jbgomond force-pushed the feature/instance-secrets branch from 15d6d7c to f5c9464 Compare October 29, 2023 14:19
lunny
lunny reviewed Oct 29, 2023
View reviewed changes
@jbgomond jbgomond force-pushed the feature/instance-secrets branch from f5c9464 to 869efc6 Compare October 29, 2023 14:34
lunny
lunny reviewed Oct 30, 2023
View reviewed changes
@jbgomond
Copy link
Contributor Author

jbgomond commented Nov 9, 2023

Is it ok to be merged ?

@GiteaBot
Copy link
Collaborator

GiteaBot commented Mar 2, 2024

This pull request has a last call and has not had any activity in the past two weeks. Consider it to be a polite refusal. 🍵

@GiteaBot GiteaBot closed this Mar 2, 2024
@GiteaBot GiteaBot removed this from the 1.22.0 milestone Mar 2, 2024
@techknowlogick techknowlogick reopened this Mar 2, 2024
@techknowlogick
Copy link
Member

techknowlogick commented Mar 2, 2024
edited
Loading

Reopening.

While we have instance wide variables, having instance wide secrets would be useful for a specific use case, if the instance is targeted to specific user group then this could work. As it is possible to extract secrets through various ways if you have access the be able to run a workflow, so it wouldnt work to protect a secret on a public instance or on one with untrusted users.

Previously when I used drone I did something like this to store docker hub secrets as I had repos in different orgs, but they all needed to push to the same place. And having this allowed me not to have to duplicate a secret. This only worked as I was the only one on the instance.

The above is to say I am welcoming of this PR, and would love to see it get in, I’m thinking it just needs some guide rails on it to ensure when people use it they are aware of the caveats.

@lunny
Copy link
Member

lunny commented Mar 2, 2024

per #27725 (review), I think maybe we can close this one.

@jbgomond
Copy link
Contributor Author

jbgomond commented Mar 3, 2024
edited
Loading

For public instances this a Anti-Feature. Even for closed instances, org secrets should be enough

I disagree on that one. For public instances sure, it's useless. But Gitea is used by small firms or groups to have a private Git solution, and projects are separated in different "organisations", as are "workspaces" in Bitbucket, to separate the clients / projects.

In that type of situation (it's my case), we have single Docker instance, and we need to store passwords across all ""organisations"" because it's the same account. Using variables is not the solution, because they are shown plain text in the action logs.

Without instance level secrets, the only solution is to duplicate secrets in all organisations, and in case of changes, to update all of them. It's not feasable, I have more than 100 organisations (projects) created.

I understand that the secret system is flawed at its core, but in that case, it is the same with organisation secrets. Maybe there's room to improve that then ? Also, if we are scared about public instances, maybe a startup option would be the solution ? So that administrators are voluntarily enabling the feature ?

@techknowlogick
Copy link
Member

@jbgomond I think we pretty much have the same use case for this.

@lunny
Copy link
Member

lunny commented Mar 4, 2024

Maybe we can have a configuration item so users can chose enable/disable it?

@jbgomond
Copy link
Contributor Author

jbgomond commented Mar 6, 2024

Fine for me, a good intermediate solution

@GiteaBot

This comment was marked as resolved.

Sign in to view
@GiteaBot GiteaBot closed this Mar 22, 2024
@lunny lunny reopened this Mar 22, 2024
@github-actions github-actions bot added modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files labels Mar 22, 2024
@delvh delvh removed the pr/last-call This PR has been stale for too long. If no one reviewes it within a week, it will be closed. label Mar 22, 2024
@lunny
Copy link
Member

lunny commented Jun 20, 2025

Fine for me, a good intermediate solution

So that could you add the global configuration in this PR and disabled by default?

@lunny lunny mentioned this pull request Aug 3, 2025
Open
@ZPascal
Copy link

ZPascal commented Aug 3, 2025

Hello @lunny, I have rebased the existing PR and opened a new one here PR to move the issue forward. If necessary, I would take over the PR and adjust the necessary code lines to embed the desired change (global configuration parameter).

@jbgomond jbgomond force-pushed the feature/instance-secrets branch 2 times, most recently from aa49e48 to 53afdc1 Compare August 4, 2025 01:47
@jbgomond
Copy link
Contributor Author

jbgomond commented Aug 4, 2025

Hello, thanks for the help @ZPascal 👍 I updated the branch. I'll test out everything and add the startup option tomorrow.

@jbgomond jbgomond force-pushed the feature/instance-secrets branch 3 times, most recently from efde91a to 6d82f12 Compare August 4, 2025 21:46
@github-actions github-actions bot added the docs-update-needed The document needs to be updated synchronously label Aug 4, 2025
@jbgomond jbgomond force-pushed the feature/instance-secrets branch from 6d82f12 to 5d0beff Compare August 4, 2025 22:14
@ZPascal
Copy link

ZPascal commented Aug 11, 2025
edited
Loading

Hello, thanks for the help @ZPascal 👍 I updated the branch. I'll test out everything and add the startup option tomorrow.

@jbgomond Do you need further support to push the topic?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@KN4CK3R KN4CK3R KN4CK3R left review comments

@wolfogre wolfogre Awaiting requested review from wolfogre

Assignees

No one assigned

Labels

docs-update-needed The document needs to be updated synchronously lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/translation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Instance-level secrets

8 participants

@jbgomond @lunny @delvh @GiteaBot @techknowlogick @ZPascal @KN4CK3R @wolfogre