Merge branch 'main' into refactor/nested-api/hook

.github/workflows/build.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/codeql-analysis.yml

@@ -38,7 +38,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'
@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+      uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+      uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+      uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13

.github/workflows/integration-test.yml

@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: install go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           # use version from go.mod file
           go-version-file: 'go.mod'
@@ -65,7 +65,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: install go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           # use version from go.mod file
           go-version-file: 'go.mod'

.github/workflows/prerelease.yml

@@ -20,7 +20,7 @@ jobs:
         fetch-depth: 0
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/publish.yml

@@ -19,7 +19,7 @@ jobs:
         fetch-depth: 0
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/reviewdog.yml

@@ -15,7 +15,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'
@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/spec.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

.github/workflows/validate.yml

@@ -16,7 +16,7 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: install go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         # use version from go.mod file
         go-version-file: 'go.mod'

api/dashboard/get.go

@@ -116,6 +116,7 @@ func buildRepoPartials(c context.Context, repos []*types.DashboardRepo) ([]types
 				Status:   build.GetStatus(),
 				Started:  build.GetStarted(),
 				Finished: build.GetFinished(),
+				Ref:      build.GetRef(),
 				Sender:   build.GetSender(),
 				Branch:   build.GetBranch(),
 				Event:    build.GetEvent(),

api/oi_config.go

@@ -11,7 +11,7 @@ import (
 	"github.com/sirupsen/logrus"
 
 	"github.com/go-vela/server/api/types"
-	"github.com/go-vela/server/internal"
+	"github.com/go-vela/server/internal/token"
 )
 
 // swagger:operation GET /_services/token/.well-known/openid-configuration token GetOpenIDConfig
@@ -32,14 +32,14 @@ import (
 
 // GetOpenIDConfig represents the API handler for requests for configurations in the Vela OpenID service.
 func GetOpenIDConfig(c *gin.Context) {
-	m := c.MustGet("metadata").(*internal.Metadata)
 	l := c.MustGet("logger").(*logrus.Entry)
+	tm := c.MustGet("token-manager").(*token.Manager)
 
 	l.Debug("reading OpenID configuration")
 
 	config := types.OpenIDConfig{
-		Issuer:      fmt.Sprintf("%s/_services/token", m.Vela.Address),
-		JWKSAddress: fmt.Sprintf("%s/%s", m.Vela.Address, "_services/token/.well-known/jwks"),
+		Issuer:      tm.Issuer,
+		JWKSAddress: fmt.Sprintf("%s/.well-known/jwks", tm.Issuer),
 		ClaimsSupported: []string{
 			"sub",
 			"exp",

api/types/dashboard.go

@@ -23,6 +23,7 @@ type BuildPartial struct {
 	Started  int64  `json:"started,omitempty"`
 	Finished int64  `json:"finished,omitempty"`
 	Sender   string `json:"sender,omitempty"`
+	Ref      string `json:"ref,omitempty"`
 	Status   string `json:"status,omitempty"`
 	Event    string `json:"event,omitempty"`
 	Branch   string `json:"branch,omitempty"`

api/webhook/post.go

@@ -484,7 +484,7 @@ func PostWebhook(c *gin.Context) {
 
 	// if the webhook was from a Pull event from a forked repository, verify it is allowed to run
 	if webhook.PullRequest.IsFromFork {
-		l.Tracef("inside %s workflow for fork PR build %s/%d", repo.GetApproveBuild(), r.GetFullName(), b.GetNumber())
+		l.Tracef("inside %s workflow for fork PR build %s/%d", repo.GetApproveBuild(), repo.GetFullName(), b.GetNumber())
 
 		switch repo.GetApproveBuild() {
 		case constants.ApproveForkAlways:
@@ -496,7 +496,7 @@ func PostWebhook(c *gin.Context) {
 			return
 		case constants.ApproveForkNoWrite:
 			// determine if build sender has write access to parent repo. If not, this call will result in an error
-			_, err = scm.FromContext(c).RepoAccess(ctx, b.GetSender(), r.GetOwner().GetToken(), r.GetOrg(), r.GetName())
+			_, err = scm.FromContext(c).RepoAccess(ctx, b.GetSender(), repo.GetOwner().GetToken(), repo.GetOrg(), repo.GetName())
 			if err != nil {
 				err = gatekeepBuild(c, b, repo)
 				if err != nil {
@@ -512,7 +512,7 @@ func PostWebhook(c *gin.Context) {
 			//
 			// NOTE: this call is cumbersome for repos with lots of contributors. Potential TODO: improve this if
 			// GitHub adds a single-contributor API endpoint.
-			contributor, err := scm.FromContext(c).RepoContributor(ctx, r.GetOwner(), b.GetSender(), r.GetOrg(), r.GetName())
+			contributor, err := scm.FromContext(c).RepoContributor(ctx, repo.GetOwner(), b.GetSender(), repo.GetOrg(), repo.GetName())
 			if err != nil {
 				util.HandleError(c, http.StatusInternalServerError, err)
 			}
@@ -552,6 +552,8 @@ func PostWebhook(c *gin.Context) {
 
 // handleRepositoryEvent is a helper function that processes repository events from the SCM and updates
 // the database resources with any relevant changes resulting from the event, such as name changes, transfers, etc.
+//
+// the caller is responsible for returning errors to the client.
 func handleRepositoryEvent(ctx context.Context, c *gin.Context, m *internal.Metadata, h *types.Hook, r *types.Repo) (*types.Repo, error) {
 	l := c.MustGet("logger").(*logrus.Entry)
 
@@ -664,6 +666,8 @@ func handleRepositoryEvent(ctx context.Context, c *gin.Context, m *internal.Meta
 // queries the database for the repo that matches that name and org, and updates
 // that repo to its new name in order to preserve it. It also updates the secrets
 // associated with that repo as well as build links for the UI.
+//
+// the caller is responsible for returning errors to the client.
 func RenameRepository(ctx context.Context, h *types.Hook, r *types.Repo, c *gin.Context, m *internal.Metadata) (*types.Repo, error) {
 	l := c.MustGet("logger").(*logrus.Entry)
 
@@ -692,7 +696,6 @@ func RenameRepository(ctx context.Context, h *types.Hook, r *types.Repo, c *gin.
 	lastHook, err := database.FromContext(c).LastHookForRepo(ctx, dbR)
 	if err != nil {
 		retErr := fmt.Errorf("unable to get last hook for repo %s: %w", r.GetFullName(), err)
-		util.HandleError(c, http.StatusInternalServerError, retErr)
 
 		h.SetStatus(constants.StatusFailure)
 		h.SetError(retErr.Error())
@@ -796,7 +799,6 @@ func RenameRepository(ctx context.Context, h *types.Hook, r *types.Repo, c *gin.
 	dbR, err = database.FromContext(c).UpdateRepo(ctx, dbR)
 	if err != nil {
 		retErr := fmt.Errorf("%s: failed to update repo %s/%s", baseErr, dbR.GetOrg(), dbR.GetName())
-		util.HandleError(c, http.StatusBadRequest, retErr)
 
 		h.SetStatus(constants.StatusFailure)
 		h.SetError(retErr.Error())

cmd/vela-server/main.go

@@ -187,6 +187,11 @@ func main() {
 			Usage:   "sets the duration of an OpenID token requested during a build (should be short)",
 			Value:   5 * time.Minute,
 		},
+		&cli.StringFlag{
+			EnvVars: []string{"VELA_OPEN_ID_ISSUER", "OPEN_ID_ISSUER"},
+			Name:    "oidc-issuer",
+			Usage:   "sets the issuer of the OpenID token requested during a build",
+		},
 		// Compiler Flags
 		&cli.BoolFlag{
 			EnvVars: []string{"VELA_COMPILER_GITHUB", "COMPILER_GITHUB"},

cmd/vela-server/server.go

@@ -108,6 +108,15 @@ func server(c *cli.Context) error {
 		return err
 	}
 
+	// determine issuer for metadata and token manager
+	oidcIssuer := c.String("oidc-issuer")
+	if len(oidcIssuer) == 0 {
+		oidcIssuer = fmt.Sprintf("%s/_services/token", c.String("server-addr"))
+	}
+
+	metadata.Vela.OpenIDIssuer = oidcIssuer
+	tm.Issuer = oidcIssuer
+
 	jitter := wait.Jitter(5*time.Second, 2.0)
 
 	logrus.Infof("retrieving initial platform settings after %v delay", jitter)

cmd/vela-server/token.go

@@ -3,8 +3,6 @@
 package main
 
 import (
-	"fmt"
-
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 
@@ -24,7 +22,6 @@ func setupTokenManager(c *cli.Context, db database.Interface) (*token.Manager, e
 		WorkerAuthTokenDuration:     c.Duration("worker-auth-token-duration"),
 		WorkerRegisterTokenDuration: c.Duration("worker-register-token-duration"),
 		IDTokenDuration:             c.Duration("id-token-duration"),
-		Issuer:                      fmt.Sprintf("%s/_services/token", c.String("server-addr")),
 	}
 
 	// generate a new RSA key pair

cmd/vela-server/validate.go

@@ -4,6 +4,7 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"strings"
 
 	"github.com/sirupsen/logrus"
@@ -105,6 +106,13 @@ func validateCore(c *cli.Context) error {
 		return fmt.Errorf("default-repo-approve-build (VELA_DEFAULT_REPO_APPROVE_BUILD) has the unsupported value of %s", c.String("default-repo-approve-build"))
 	}
 
+	if len(c.String("oidc-issuer")) > 0 {
+		_, err := url.Parse(c.String("oidc-issuer"))
+		if err != nil {
+			return fmt.Errorf("oidc-issuer (VELA_OPEN_ID_ISSUER) flag must be a valid URL")
+		}
+	}
+
 	return nil
 }
 

compiler/native/compile_test.go

@@ -15,7 +15,7 @@ import (
 	yml "github.com/buildkite/yaml"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-github/v62/github"
+	"github.com/google/go-github/v63/github"
 	"github.com/urfave/cli/v2"
 
 	api "github.com/go-vela/server/api/types"

compiler/native/environment.go

@@ -309,12 +309,14 @@ func environment(b *api.Build, m *internal.Metadata, r *api.Repo, u *api.User) m
 	// populate environment variables from metadata
 	if m != nil {
 		env["VELA_ADDR"] = m.Vela.WebAddress
+		env["VELA_SERVER_ADDR"] = m.Vela.Address
 		env["VELA_CHANNEL"] = m.Queue.Channel
 		env["VELA_DATABASE"] = m.Database.Driver
 		env["VELA_HOST"] = m.Vela.Address
 		env["VELA_NETRC_MACHINE"] = m.Source.Host
 		env["VELA_QUEUE"] = m.Queue.Driver
 		env["VELA_SOURCE"] = m.Source.Driver
+		env["VELA_OPEN_ID_ISSUER"] = m.Vela.OpenIDIssuer
 		env["VELA_ID_TOKEN_REQUEST_URL"] = fmt.Sprintf("%s/api/v1/repos/%s/builds/%d/id_token", m.Vela.Address, r.GetFullName(), b.GetNumber())
 		channel = m.Queue.Channel
 		workspace = fmt.Sprintf("%s/%s/%s/%s", workspace, m.Source.Host, r.GetOrg(), r.GetName())