Fix various bugs (#35684)

1. Fix incorrect column in `applySubscribedCondition`, add a test 2. Fix debian version parsing, add more tests fix #35695 3. Fix log level for HTTP errors, fix #35651 4. Fix abused "panic" handler in API `Migrate` 5. Fix the redirection from PR to issue, add a test 6. Fix Actions variable & secret name validation, add more tests * envNameCIRegexMatch is unnecessary, removed * validating in "delete" function doesn't make sense, removed 7. Fix incorrect link in release email --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: delvh <dev.lh@web.de>
2026-03-20 11:50:27 +00:00 · 2025-10-19 00:37:50 +08:00
parent 322cb048e7
commit 2d36a0c9ff
15 changed files with 98 additions and 86 deletions
--- a/services/secrets/secrets.go
+++ b/services/secrets/secrets.go
@@ -56,10 +56,6 @@ func DeleteSecretByID(ctx context.Context, ownerID, repoID, secretID int64) erro
 }

 func DeleteSecretByName(ctx context.Context, ownerID, repoID int64, name string) error {
-	if err := ValidateName(name); err != nil {
-		return err
-	}
-
 	s, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{
 		OwnerID: ownerID,
 		RepoID:  repoID,
--- a/services/secrets/validation.go
+++ b/services/secrets/validation.go
@@ -5,21 +5,29 @@ package secrets

 import (
 	"regexp"
+	"strings"
+	"sync"

 	"code.gitea.io/gitea/modules/util"
 )

+// https://docs.github.com/en/actions/learn-github-actions/variables#naming-conventions-for-configuration-variables
 // https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
-var (
-	namePattern            = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
-	forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
-
-	ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
-)
+var globalVars = sync.OnceValue(func() (ret struct {
+	namePattern, forbiddenPrefixPattern *regexp.Regexp
+},
+) {
+	ret.namePattern = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
+	ret.forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
+	return ret
+})

 func ValidateName(name string) error {
-	if !namePattern.MatchString(name) || forbiddenPrefixPattern.MatchString(name) {
-		return ErrInvalidName
+	vars := globalVars()
+	if !vars.namePattern.MatchString(name) ||
+		vars.forbiddenPrefixPattern.MatchString(name) ||
+		strings.EqualFold(name, "CI") /* CI is always set to true in GitHub Actions*/ {
+		return util.NewInvalidArgumentErrorf("invalid variable or secret name")
 	}
 	return nil
 }
--- a/services/secrets/validation_test.go
+++ b/services/secrets/validation_test.go
@@ -0,0 +1,29 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package secrets
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateName(t *testing.T) {
+	cases := []struct {
+		name  string
+		valid bool
+	}{
+		{"FOO", true},
+		{"FOO1_BAR2", true},
+		{"_FOO", true}, // really? why support this
+		{"1FOO", false},
+		{"giteA_xx", false},
+		{"githuB_xx", false},
+		{"cI", false},
+	}
+	for _, c := range cases {
+		err := ValidateName(c.name)
+		assert.Equal(t, c.valid, err == nil, "ValidateName(%q)", c.name)
+	}
+}