Add endpoint deleting workflow run #34337

NorthRealm · 2025-05-01T15:47:39Z

Add endpoint deleting workflow run
Resolves #26219

NorthRealm · 2025-05-08T11:55:35Z

@ChristopherHX I just tried adding CleanupEphemeralRunners to modules/actions/run.go and cannot compile. Import cycle error.

Just a random idea: Move your code from actions modules to actions services? so both are in the same module.

AFAIK Web and rest api can reference service, but I didn't think about where your deletion code is, relative to my cleanup function.

Anything else about ephemeral runners might be better discussed in a new issue / proposal. The old code works, because tasks that are finished within 24h are never deleted yet.

Just pushed new commits. Please check.

ChristopherHX · 2025-05-08T16:11:09Z

With deletion this is a follow up problem, this page looks very bad. No navigation bar, no styles.

Create / search for issues about this finding soon.

It so much easier to get this broken page with deletion, since the statuses point to that URL.

Out of scope for this PR

ChristopherHX

Overall looks good, but I defer my approval after more testing from my side.

services/actions/cleanup.go

templates/repo/actions/runs_list.tmpl

Co-authored-by: Lunny Xiao <[email protected]>

routers/api/v1/api.go

wxiaoguang · 2025-05-13T00:51:38Z

routers/api/v1/repo/action.go

+
+	runID := ctx.PathParamInt64("run")
+
+	run, err := actions_model.GetRunByID(ctx, runID)


Permission check bypass? A doer could delete repoB's action runs by accessing repoA?

Permission check bypass? A doer could delete repoB's action runs by accessing repoA?

I believe the middlewares before repo.DeleteActionRun already do permission check.

How? The middleware allows to access repoA, but what if your "runID" is for repoB?

I agree with wxiaoguang, the middleware does not check the path parameter "run" to belong to the checked repository.

Please check if the RepoID of the ActionRun with runid matches the ctx.Repo.Repository.ID

Feel free to look at the artifacts rest api Get and Delete by id.

@ChristopherHX In that case I think your artifact implementation has the same defection too

My GetArtifactsOfRun has a repoid filter => database checks it

My getArtifactsByPathParam has an explicit repo_id check after reading it by id from database

If you found something, please point me to it. I would be happy to fix it.

routers/api/v1/repo/action.go

routers/web/repo/actions/view.go

services/actions/cleanup.go

wxiaoguang · 2025-05-13T00:57:28Z

templates/repo/actions/runs_list.tmpl

@@ -36,6 +36,15 @@
 					<div class="run-list-meta">{{svg "octicon-calendar" 16}}{{DateUtils.TimeSince .Updated}}</div>
 					<div class="run-list-meta">{{svg "octicon-stopwatch" 16}}{{.Duration}}</div>
 				</div>
+				{{if and ($.AllowDeleteWorkflowRuns) (.Link) (.Status.IsDone)}}


Why check (.Link)?

At line 14 {{if .Link}}{{.Link}}{{else}}{{$.Link}}/{{.Index}}{{end}}
I don't quite understand this but I found .Link is the one wanted.

Hmm, I do not think the old code is right (since Implement actions (#21937))

the run.Link should be used directly without check.

iirc what I found is, take gitea as example, {{$.Link}} would be https://gitea.com/gitea/act/actions that misses out /runs.
So At line 14 can just remove the if check and at line 39 can remove the check?
In current Gitea probably {{$.Link}}/{{.Index}} would never be reached.
Anyone else?

IMO the old $.Link is an abuse (over-defensive programming)
.... I think we should always use run.Link in this case (just forget the $.Link and removing the if check should be good enough).

NorthRealm added 7 commits May 1, 2025 23:34

Backend

83f1bba

Refactor

a633f44

run.go jobIds len check

29a0fe5

API endpoint

b92b3c5

FIX

cb05cf7

Swagger

0dc984a

LINT FIX

61328b8

GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 1, 2025

github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels May 1, 2025

NorthRealm added 6 commits May 2, 2025 15:08

Fix

c76fb69

MOCK

05aa0e4

Test

5f6238b

Mock

e5a8968

Test

7e6e6ae

Test

8922924

NorthRealm marked this pull request as ready for review May 2, 2025 10:22

NorthRealm force-pushed the delete-run-1 branch from 1618130 to 53ecc2b Compare May 2, 2025 13:32

NorthRealm added 3 commits May 2, 2025 22:10

MOCK

9435c3a

Test

1b759fb

LINT FIX

cf5bcfb

NorthRealm force-pushed the delete-run-1 branch from 53ecc2b to cf5bcfb Compare May 2, 2025 14:10

NorthRealm added 3 commits May 2, 2025 23:34

Merge remote-tracking branch 'upstream/main' into delete-run-1

51b328e

UPDATE

1b5be81

Button

63d2cda

github-actions bot added modifies/translation modifies/templates This PR modifies the template files labels May 3, 2025

NorthRealm added 3 commits May 3, 2025 19:14

Button

08f71c3

Button

933ffee

update

fdc3893

NorthRealm force-pushed the delete-run-1 branch from e40254e to 2718400 Compare May 8, 2025 11:29

ChristopherHX reviewed May 8, 2025

View reviewed changes

services/actions/cleanup.go Outdated Show resolved Hide resolved

NorthRealm added 3 commits May 9, 2025 11:43

update

2bbc402

Merge remote-tracking branch 'upstream/main' into delete-run-1

08d5409

update

1eed130

lunny reviewed May 11, 2025

View reviewed changes

templates/repo/actions/runs_list.tmpl Outdated Show resolved Hide resolved

lunny mentioned this pull request May 11, 2025

feat(runs_list): add button delete workflow run #33138

Open

Update template

fbd1a0e

Co-authored-by: Lunny Xiao <[email protected]>

NorthRealm requested a review from lunny May 12, 2025 07:39

lunny approved these changes May 12, 2025

View reviewed changes

GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 12, 2025