mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-18 07:28:47 +00:00
Closes #11859 🙂 Wanted to be able to grab action logs from my homelab dashboard without juggling session cookies. Two endpoints so scripts and webhooks can pull logs without scraping the rendered UI: - `GET /repos/{owner}/{repo}/actions/jobs/{job_id}/logs` returns plaintext for a single job's latest task. The underlying reader is `io.ReadSeekCloser`, so passing it through `http.ServeContent` gives you HTTP `Range:` for free. - `GET /repos/{owner}/{repo}/actions/runs/{run_id}/logs` streams a zip of every job's logs in the run. If a job hasn't started (`TaskID == 0`), its log expired, or opening the log file fails, the zip gets a `.MISSING` placeholder entry rather than bailing on the whole archive. Both endpoints get `reqToken()` per-route. Logs can have secrets accidentally echoed into them, so I wanted auth required even though the outer `/repos` group's `tokenRequiresScopes(AccessTokenScopeCategoryRepository)` already covers scope. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. (`tests/integration/api_actions_job_logs_test.go`, `tests/integration/api_actions_run_logs_test.go`) - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. (The new endpoints are covered by the regenerated swagger spec in this PR; `docs/user/api-usage.md` is general auth/usage guidance and doesn't need changes. Happy to open a docs PR if reviewers prefer.) ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Release note added as `release-notes/12666.md`. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12666 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
212 lines
8.1 KiB
Go
212 lines
8.1 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package integration
|
|
|
|
import (
|
|
"archive/zip"
|
|
"bytes"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"testing"
|
|
"time"
|
|
|
|
actions_model "forgejo.org/models/actions"
|
|
auth_model "forgejo.org/models/auth"
|
|
repo_model "forgejo.org/models/repo"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/setting"
|
|
|
|
runnerv1 "code.forgejo.org/forgejo/actions-proto/runner/v1"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
)
|
|
|
|
func TestAPIGetActionRunLogs(t *testing.T) {
|
|
if !setting.Database.Type.IsSQLite3() {
|
|
t.Skip()
|
|
}
|
|
now := time.Now()
|
|
outcomeJob1 := &mockTaskOutcome{
|
|
result: runnerv1.Result_RESULT_SUCCESS,
|
|
logRows: []*runnerv1.LogRow{
|
|
{Time: timestamppb.New(now.Add(1 * time.Second)), Content: "job1-output line one"},
|
|
{Time: timestamppb.New(now.Add(2 * time.Second)), Content: "job1-output line two"},
|
|
},
|
|
}
|
|
outcomeJob2 := &mockTaskOutcome{
|
|
result: runnerv1.Result_RESULT_SUCCESS,
|
|
logRows: []*runnerv1.LogRow{
|
|
{Time: timestamppb.New(now.Add(3 * time.Second)), Content: "job2-output line one"},
|
|
{Time: timestamppb.New(now.Add(4 * time.Second)), Content: "job2-output line two"},
|
|
},
|
|
}
|
|
// A third job with a non-ASCII display name (kanji + emoji) to confirm
|
|
// the ZIP entry preserves UTF-8 verbatim — regression guard against any
|
|
// future tightening of the filename sanitize.
|
|
outcomeJobUTF8 := &mockTaskOutcome{
|
|
result: runnerv1.Result_RESULT_SUCCESS,
|
|
logRows: []*runnerv1.LogRow{
|
|
{Time: timestamppb.New(now.Add(5 * time.Second)), Content: "utf8-output line one"},
|
|
},
|
|
}
|
|
// Display name uses kanji + a non-BMP emoji (U+1F680) so the test
|
|
// exercises multi-byte UTF-8 and surrogate-pair territory.
|
|
utf8JobDisplayName := "测试-\U0001f680"
|
|
workflow := fmt.Sprintf(`name: api-run-logs
|
|
on: push
|
|
jobs:
|
|
job1:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo job1 first line
|
|
job2:
|
|
runs-on: ubuntu-latest
|
|
needs: [job1]
|
|
steps:
|
|
- run: echo job2 first line
|
|
utf8-job:
|
|
name: %s
|
|
runs-on: ubuntu-latest
|
|
needs: [job2]
|
|
steps:
|
|
- run: echo utf8 first line
|
|
`, utf8JobDisplayName)
|
|
treePath := ".forgejo/workflows/api-run-logs.yml"
|
|
|
|
onApplicationRun(t, func(t *testing.T, u *url.URL) {
|
|
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
session := loginUser(t, user2.Name)
|
|
token := getTokenForLoggedInUser(t, session,
|
|
auth_model.AccessTokenScopeWriteRepository,
|
|
auth_model.AccessTokenScopeWriteUser,
|
|
)
|
|
|
|
// Repo A receives the workflow + runs the jobs.
|
|
apiRepoA := createActionsTestRepo(t, token, "actions-run-logs", false)
|
|
repoA := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepoA.ID})
|
|
|
|
// Repo B is the cross-repo target — used to verify the guard.
|
|
apiRepoB := createActionsTestRepo(t, token, "actions-run-logs-other", false)
|
|
|
|
runner := newMockRunner()
|
|
runner.registerAsRepoRunner(t, user2.Name, repoA.Name, "mock-runner", []string{"ubuntu-latest"})
|
|
|
|
opts := getWorkflowCreateFileOptions(user2, repoA.DefaultBranch,
|
|
fmt.Sprintf("create %s", treePath), workflow)
|
|
createWorkflowFile(t, token, user2.Name, repoA.Name, treePath, opts)
|
|
|
|
// Dependency chain: job1 → job2 → utf8-job. Each `needs:` clause
|
|
// makes the runner pickup order deterministic.
|
|
task1 := runner.fetchTask(t)
|
|
runner.execTask(t, task1, outcomeJob1)
|
|
|
|
task2 := runner.fetchTask(t)
|
|
runner.execTask(t, task2, outcomeJob2)
|
|
|
|
task3 := runner.fetchTask(t)
|
|
runner.execTask(t, task3, outcomeJobUTF8)
|
|
|
|
actionTask1 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: task1.Id})
|
|
actionRunJob1 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: actionTask1.JobID})
|
|
actionTask2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: task2.Id})
|
|
actionRunJob2 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: actionTask2.JobID})
|
|
actionTask3 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: task3.Id})
|
|
actionRunJob3 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: actionTask3.JobID})
|
|
|
|
require.Equal(t, "job1", actionRunJob1.JobID, "first fetched task should be job1")
|
|
require.Equal(t, "job2", actionRunJob2.JobID, "second fetched task should be job2 (needs: [job1])")
|
|
require.Equal(t, "utf8-job", actionRunJob3.JobID, "third fetched task should be utf8-job (needs: [job2])")
|
|
require.Equal(t, utf8JobDisplayName, actionRunJob3.Name,
|
|
"DB should store the YAML `name:` field verbatim, including UTF-8")
|
|
require.Equal(t, actionRunJob1.RunID, actionRunJob2.RunID, "both jobs should belong to the same run")
|
|
require.Equal(t, actionRunJob1.RunID, actionRunJob3.RunID, "utf8-job should belong to the same run")
|
|
runID := actionRunJob1.RunID
|
|
|
|
t.Run("happy path: 200 valid zip with per-job entries", func(t *testing.T) {
|
|
req := NewRequestf(t, "GET",
|
|
"/api/v1/repos/%s/actions/runs/%d/logs",
|
|
repoA.FullName(), runID,
|
|
)
|
|
req.AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
assert.Equal(t, "application/zip", resp.Header().Get("Content-Type"))
|
|
assert.Contains(t, resp.Header().Get("Content-Disposition"),
|
|
fmt.Sprintf("run-%d-logs.zip", runID))
|
|
|
|
r, err := zip.NewReader(bytes.NewReader(resp.Body.Bytes()), int64(resp.Body.Len()))
|
|
require.NoError(t, err)
|
|
|
|
// Read every entry into a map keyed by filename so we can assert
|
|
// names and content exactly, and surface unexpected extras.
|
|
entries := map[string]string{}
|
|
for _, f := range r.File {
|
|
fr, err := f.Open()
|
|
require.NoError(t, err)
|
|
data, err := io.ReadAll(fr)
|
|
require.NoError(t, err)
|
|
require.NoError(t, fr.Close())
|
|
entries[f.Name] = string(data)
|
|
}
|
|
|
|
job1Name := fmt.Sprintf("%s-%d-attempt-%d.log", actionRunJob1.Name, actionRunJob1.ID, actionRunJob1.Attempt)
|
|
job2Name := fmt.Sprintf("%s-%d-attempt-%d.log", actionRunJob2.Name, actionRunJob2.ID, actionRunJob2.Attempt)
|
|
utf8Name := fmt.Sprintf("%s-%d-attempt-%d.log", actionRunJob3.Name, actionRunJob3.ID, actionRunJob3.Attempt)
|
|
|
|
require.Len(t, entries, 3, "zip should contain exactly one entry per job")
|
|
require.Contains(t, entries, job1Name, "expected job1 entry %q", job1Name)
|
|
require.Contains(t, entries, job2Name, "expected job2 entry %q", job2Name)
|
|
// Explicit UTF-8-preservation check: the entry name must contain
|
|
// the verbatim kanji + emoji, with no Unicode-to-underscore mangling.
|
|
require.Contains(t, entries, utf8Name,
|
|
"expected UTF-8 entry %q (sanitize must preserve non-ASCII verbatim)", utf8Name)
|
|
|
|
assert.Contains(t, entries[job1Name], "job1-output line one")
|
|
assert.Contains(t, entries[job1Name], "job1-output line two")
|
|
assert.Contains(t, entries[job2Name], "job2-output line one")
|
|
assert.Contains(t, entries[job2Name], "job2-output line two")
|
|
assert.Contains(t, entries[utf8Name], "utf8-output line one")
|
|
})
|
|
|
|
t.Run("cross-repo: 404 when run_id belongs to a different repo", func(t *testing.T) {
|
|
req := NewRequestf(t, "GET",
|
|
"/api/v1/repos/%s/actions/runs/%d/logs",
|
|
apiRepoB.FullName, runID,
|
|
)
|
|
req.AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
|
|
t.Run("not found: 404 for unknown run_id", func(t *testing.T) {
|
|
req := NewRequestf(t, "GET",
|
|
"/api/v1/repos/%s/actions/runs/%d/logs",
|
|
repoA.FullName(), runID+999999,
|
|
)
|
|
req.AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
})
|
|
|
|
t.Run("wrong scope: 403 without read:repository", func(t *testing.T) {
|
|
// Token with only user scope, no repository access.
|
|
weakToken := getTokenForLoggedInUser(t, session,
|
|
auth_model.AccessTokenScopeReadUser,
|
|
)
|
|
req := NewRequestf(t, "GET",
|
|
"/api/v1/repos/%s/actions/runs/%d/logs",
|
|
repoA.FullName(), runID,
|
|
)
|
|
req.AddTokenAuth(weakToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
})
|
|
|
|
httpContextA := NewAPITestContext(t, user2.Name, repoA.Name, auth_model.AccessTokenScopeWriteUser)
|
|
doAPIDeleteRepository(httpContextA)(t)
|
|
httpContextB := NewAPITestContext(t, user2.Name, apiRepoB.Name, auth_model.AccessTokenScopeWriteUser)
|
|
doAPIDeleteRepository(httpContextB)(t)
|
|
})
|
|
}
|