From 25c472b90bc1886a5d3c45770eb6196d1b833ccb Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sun, 18 Jan 2026 20:15:11 +0000
Subject: [PATCH] test: test cloning of private reusable workflows (#1436)

Verify that Forgejo Runner can access a reusable workflow that is stored in a private repository.

That should help prevent https://code.forgejo.org/forgejo/runner/issues/1274 from happening again.

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1436
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 actions/actions.sh                            |  2 +-
 .../.forgejo/workflows/reusable.yaml          | 10 +++++
 .../.forgejo/workflows/test.yaml              | 11 +++++
 actions/example-private-workflow-call/run.sh  | 42 +++++++++++++++++++
 .../example-private-workflow-call/setup.sh    |  1 +
 5 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml
 create mode 100644 actions/example-private-workflow-call/.forgejo/workflows/test.yaml
 create mode 100644 actions/example-private-workflow-call/run.sh
 create mode 100644 actions/example-private-workflow-call/setup.sh

diff --git a/actions/actions.sh b/actions/actions.sh
index 1dc6b14e..f97fd8a5 100755
--- a/actions/actions.sh
+++ b/actions/actions.sh
@@ -143,7 +143,7 @@ function test_actions() {
             done
         fi
 
-        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context; do
+        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context private-workflow-call; do
             run actions_verify_example $example
         done
 
diff --git a/actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml b/actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml
new file mode 100644
index 00000000..48832449
--- /dev/null
+++ b/actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: "docker"
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    steps:
+      - run: echo 'OK'
diff --git a/actions/example-private-workflow-call/.forgejo/workflows/test.yaml b/actions/example-private-workflow-call/.forgejo/workflows/test.yaml
new file mode 100644
index 00000000..9bb279b3
--- /dev/null
+++ b/actions/example-private-workflow-call/.forgejo/workflows/test.yaml
@@ -0,0 +1,11 @@
+on:
+  push:
+
+jobs:
+  test:
+    # `runs-on` disables workflow expansion. We want that in this case, because then Forgejo Runner has to authenticate
+    # itself to access the reusable workflow.
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    uses: ./.forgejo/workflows/reusable.yaml
diff --git a/actions/example-private-workflow-call/run.sh b/actions/example-private-workflow-call/run.sh
new file mode 100644
index 00000000..e71dc991
--- /dev/null
+++ b/actions/example-private-workflow-call/run.sh
@@ -0,0 +1,42 @@
+api="$url/api/v1"
+export d=/srv/example/private-workflow-call
+
+function main() {
+    mkdir -p "$d"
+
+    local repo
+    repo="root/example-$example"
+
+    forgejo-test-helper.sh push_workflow "actions/example-$example" "$url" root "example-$example" setup-forgejo "$token"
+
+    # push_workflow creates the repository and triggers a first workflow run. Wait for it to succeed. Ensures that the
+    # workflow is valid.
+    local sha
+    sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$sha"
+
+    # Make the repository private. That is necessary to verify that Forgejo Runner includes the correct credentials when
+    # cloning the workflow.
+    forgejo-curl.sh api_json -X PATCH --data-raw '{"private":true}' "$api/repos/root/example-$example"
+
+    # Create a new commit that triggers a new workflow run that can be identified uniquely.
+    (
+        cd "$d" || exit 1
+        git clone "$url/root/example-$example"
+        cd "example-$example" || exit 1
+         git config user.email root@example.com
+        git config user.name username
+        echo "A new file" > test.txt
+        git add .
+        git commit -m 'Commit a new file'
+        git push
+    )
+
+    # Wait for the workflow pulled from the private repository to succeed.
+    local new_sha
+    new_sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    [[ "$new_sha" != "$sha" ]] || exit 1
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$new_sha"
+}
+
+main
diff --git a/actions/example-private-workflow-call/setup.sh b/actions/example-private-workflow-call/setup.sh
new file mode 100644
index 00000000..fd443948
--- /dev/null
+++ b/actions/example-private-workflow-call/setup.sh
@@ -0,0 +1 @@
+mkdir -p /srv/example/private-workflow-call