From 0a37a03f2eb6f18cb77a0b21882172ae5a903219 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Fri, 6 Jan 2023 13:34:38 +0800
Subject: [PATCH] Clone actions without token (#6)

Shouldn't provide token when cloning actions, the token comes from the instance which triggered the task, it might be not the instance which provides actions.

For GitHub, they are the same, always github.com. But for Gitea, tasks triggered by a.com can clone actions from b.com.

Reviewed-on: https://gitea.com/gitea/act/pulls/6
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Jason Song <i@wolfogre.com>
Co-committed-by: Jason Song <i@wolfogre.com>
---
 pkg/runner/step_action_remote.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkg/runner/step_action_remote.go b/pkg/runner/step_action_remote.go
index 26b178e..264b060 100644
--- a/pkg/runner/step_action_remote.go
+++ b/pkg/runner/step_action_remote.go
@@ -64,7 +64,13 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 			URL:   sar.remoteAction.CloneURL(),
 			Ref:   sar.remoteAction.Ref,
 			Dir:   actionDir,
-			Token: github.Token,
+			Token: "", /*
+				Shouldn't provide token when cloning actions,
+				the token comes from the instance which triggered the task,
+				however, it might be not the same instance which provides actions.
+				For GitHub, they are the same, always github.com.
+				But for Gitea, tasks triggered by a.com can clone actions from b.com.
+			*/
 		})
 		var ntErr common.Executor
 		if err := gitClone(ctx); err != nil {