I've been wanting any cloud CI that I could use with Codeberg lately so I started experimenting with this. I couldn't get builds.sr.ht running locally so I stopped, but I do have a branch with a lot of the boilerplate done if anyone is interested in picking this up (no actual Gitea API code, just a copy/pasta of the GitHub integration with lots of structs renamed to "Gitea_whatever"). I'd be happy to send that along if anyone is interested in working on this and wants to avoid some of the tedious initial work.
Mine has a field where you'd enter your gitea instance, then it would try to auth against that one so in theory you could use it against several gitea instances at once and just make different tasks for each.
When submitting the following build manifest (which I guess is invalid YAML):
I get the error: "'str' object has no attribute 'get'" which has no relation to YAML or what is wrong as far as I can tell. I'm not sure what this means, possibly it's a bug in Python land somewhere. It would be more helpful if it told me that the YAML was invalid (or whatever the problem with that manifest actually is).
It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):
The usual way to fix this is to make the logout link a form and a POST request.
On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:
This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.
-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317
-- Sam Whited
This is an innocent issue that might log you out.
We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?
- Not long enough
- Not unique enough without master-secret fix
I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.