test: test cloning of private reusable workflows (#1436)

Verify that Forgejo Runner can access a reusable workflow that is stored in a private repository.

That should help prevent https://code.forgejo.org/forgejo/runner/issues/1274 from happening again.

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1436
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>

actions/actions.sh

@@ -143,7 +143,7 @@ function test_actions() {
             done
         fi
 
-        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context; do
+        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context private-workflow-call; do
             run actions_verify_example $example
         done
 

actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: "docker"
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    steps:
+      - run: echo 'OK'

actions/example-private-workflow-call/.forgejo/workflows/test.yaml

@@ -0,0 +1,11 @@
+on:
+  push:
+
+jobs:
+  test:
+    # `runs-on` disables workflow expansion. We want that in this case, because then Forgejo Runner has to authenticate
+    # itself to access the reusable workflow.
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    uses: ./.forgejo/workflows/reusable.yaml

actions/example-private-workflow-call/run.sh

@@ -0,0 +1,42 @@
+api="$url/api/v1"
+export d=/srv/example/private-workflow-call
+
+function main() {
+    mkdir -p "$d"
+
+    local repo
+    repo="root/example-$example"
+
+    forgejo-test-helper.sh push_workflow "actions/example-$example" "$url" root "example-$example" setup-forgejo "$token"
+
+    # push_workflow creates the repository and triggers a first workflow run. Wait for it to succeed. Ensures that the
+    # workflow is valid.
+    local sha
+    sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$sha"
+
+    # Make the repository private. That is necessary to verify that Forgejo Runner includes the correct credentials when
+    # cloning the workflow.
+    forgejo-curl.sh api_json -X PATCH --data-raw '{"private":true}' "$api/repos/root/example-$example"
+
+    # Create a new commit that triggers a new workflow run that can be identified uniquely.
+    (
+        cd "$d" || exit 1
+        git clone "$url/root/example-$example"
+        cd "example-$example" || exit 1
+         git config user.email root@example.com
+        git config user.name username
+        echo "A new file" > test.txt
+        git add .
+        git commit -m 'Commit a new file'
+        git push
+    )
+
+    # Wait for the workflow pulled from the private repository to succeed.
+    local new_sha
+    new_sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    [[ "$new_sha" != "$sha" ]] || exit 1
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$new_sha"
+}
+
+main

actions/example-private-workflow-call/setup.sh

@@ -0,0 +1 @@
+mkdir -p /srv/example/private-workflow-call