Fix safeFilename function to hash input to prevent leaking sensitive data to filesystem

[panekj]

Using uses: https://${{ secrets.USER }}:${{ secrets.PASS }}@host.tld/repo.git will leak credentials as plaintext to filesystem via actions cache

act-cli/pkg/runner/step_action_remote.go

Line 124 in afbf79f

actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))

https://gitea.com/gitea/act/pulls/117/files
https://gitea.com/pj/act/commit/b6450c7f71210cf9988deae3a84d41efb28eae77

[ChristopherHX]

Yes I remember this gitea bug caused by a new feature, at the moment we are not expanding anything in uses and even throw an validation error here.

Merging every gitea actions feature (like uses expansion) behind a feature-flag is ok for me as well.

We can plan this in.

[panekj]

Forgejo ref: https://code.forgejo.org/forgejo/act/pulls/100

[panekj]

Yes I remember this gitea bug caused by a new feature, at the moment we are not expanding anything in uses and even throw an validation error here.

Merging every gitea actions feature (like uses expansion) behind a feature-flag is ok for me as well.

I've been absent for a very long time so I'm not exactly up to date with what is going in between gitea/forgejo/act. I'm fine with whatever is happening as long as it's fixed, both Gitea and Forgejo have implemented/are implementing my suggestion to hash the uses string and use that as name for cache.

[ChristopherHX]

BTW this is acts point of view, I will improve this error block later.

Users of act requested schema validation, I implemented it.

on: push
jobs:
  _:
    runs-on: ubuntu-latest
    steps:
    - uses: https://${{ secrets.USER }}:${{ secrets.PASS }}@host.tld/repo.git

INFO[0000] Using docker host 'unix:///var/run/docker.sock', and daemon socket 'unix:///var/run/docker.sock' 
Error: workflow is not valid. 'w.yml': Line: 4 Column 5: Failed to match job-factory: Line: 6 Column 7: Failed to match run-step: Line: 6 Column 7: Unknown Property uses
Line: 6 Column 7: Failed to match regular-step: Line: 6 Column 13: expressions are not allowed here
Line: 6 Column 13: expressions are not allowed here
Line: 4 Column 5: Failed to match workflow-job: Line: 4 Column 5: Unknown Property runs-on
Line: 5 Column 5: Unknown Property steps

while

Line: 6 Column 13: expressions are not allowed here

prevents this scenario.

I'm not exactly up to date with what is going in between gitea/forgejo/act

Yes this is true, gitea act being several months behind nektos/act as well.
The error I posted above is included in a version past the last merge to gitea/act.

[ChristopherHX]

RE: https://gitea.com/gitea/act/issues/105#issuecomment-954905

Possibility for forgejo context part of the proposal.

Once the feature is enabled for this fork this field is going to be hashed, credentials stripped or valuemasker applied.