Authenticate cache requests via ACTIONS_RUNTIME_TOKEN and scope by repo (#849)

Closes #848. Addresses [GHSA-82g9-637c-2fx2](https://github.com/go-gitea/gitea/security/advisories/GHSA-82g9-637c-2fx2) and the follow-up points raised by @ChristopherHX and @haroutp in that thread.

The change is breaking only for `cache.external_server` which uses auth via a pre-shared secret.

## How auth works now

1. **Runner starts** → opens the embedded cache server on `:port`. Loads / creates a 32-byte HMAC signing key in `<cache-dir>/.secret`.
2. **Runner receives a task** → calls `handler.RegisterJob(ACTIONS_RUNTIME_TOKEN, repository)` before the job runs, defers a revoker that removes the credential on completion. Registrations are reference-counted so a stray re-register cannot revoke a live job.
3. **Job container runs `actions/cache`** → the toolkit sends `Authorization: Bearer $ACTIONS_RUNTIME_TOKEN` on every management call (`reserve`, `upload`, `commit`, `find`, `clean`). The cache server's middleware looks the token up in the registered-jobs map: miss → 401; hit → the job's repository is injected into the request context.
4. **Repository scoping** — every cache entry is stamped with `Repo` on reserve; `find`, `upload`, `commit` all verify the caller's repo matches. A job in repo A cannot see or poison a cache entry owned by repo B, even when both reach the server over the same docker bridge. GC dedup also groups by `(Repo, Key, Version)` so one repo can't age out another.
5. **Archive downloads** — `@actions/cache` does not attach Authorization when downloading `archiveLocation`, so the `find` response is a short-lived HMAC-signed URL: `…/artifacts/:id?exp=<unix>&sig=<hmac>`, 10-minute TTL, signature binds `cacheID:exp`. Tampered, expired, or foreign-secret URLs get 401.
6. **Defence-in-depth** — `ACTIONS_RUNTIME_TOKEN` is added to `task.Secrets` so the runner's log masker scrubs it from step output.

## `cache.external_server` (standalone `act_runner cache-server`)

Operators set `cache.external_secret` to the same value on the runner config and the `act_runner cache-server` config. The `cache-server` then runs with bearer auth on the cache API and exposes a control-plane at `POST /_internal/{register,revoke}` (gated by the shared secret). The runner pre-registers each task's `ACTIONS_RUNTIME_TOKEN` with the remote server before the job runs and revokes it on completion. Same per-job auth + repo scoping as the embedded handler, just over the network.

`cache-server` refuses to start without `cache.external_secret`; runner config load also fails when `cache.external_server` is set without `cache.external_secret`.

## User-facing changes

- **One-time cache miss after upgrade.** Pre-existing entries in `bolt.db` have no `Repo` stamp and won't match any job — they'll be evicted by the normal GC. First job per cache key rebuilds its cache.
- **`cache.external_server` deployments must add `cache.external_secret`.** Breaking change for anyone running a standalone `act_runner cache-server`: set the same `cache.external_secret` in both the runner config and the cache-server config. Without it neither side starts.
- **No config changes required for the default setup.** Runners using the embedded cache server (the common case) keep working without any yaml edits; the auth mechanism is invisible to workflows.

---
This PR was written with the help of Claude Opus 4.7

---------

Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
Reviewed-on: https://gitea.com/gitea/act_runner/pulls/849
Reviewed-by: ChristopherHX <38043+christopherhx@noreply.gitea.com>

internal/app/run/runner.go

@@ -4,10 +4,12 @@
 package run
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"maps"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -38,9 +40,10 @@ type Runner struct {
 
 	cfg *config.Config
 
-	client client.Client
-	labels labels.Labels
-	envs   map[string]string
+	client       client.Client
+	labels       labels.Labels
+	envs         map[string]string
+	cacheHandler *artifactcache.Handler
 
 	runningTasks sync.Map
 	runningCount atomic.Int64
@@ -55,21 +58,24 @@ func NewRunner(cfg *config.Config, reg *config.Registration, cli client.Client)
 	}
 	envs := make(map[string]string, len(cfg.Runner.Envs))
 	maps.Copy(envs, cfg.Runner.Envs)
+	var cacheHandler *artifactcache.Handler
 	if cfg.Cache.Enabled == nil || *cfg.Cache.Enabled {
 		if cfg.Cache.ExternalServer != "" {
 			envs["ACTIONS_CACHE_URL"] = cfg.Cache.ExternalServer
 		} else {
-			cacheHandler, err := artifactcache.StartHandler(
+			handler, err := artifactcache.StartHandler(
 				cfg.Cache.Dir,
 				cfg.Cache.Host,
 				cfg.Cache.Port,
+				"",
 				log.StandardLogger().WithField("module", "cache_request"),
 			)
 			if err != nil {
 				log.Errorf("cannot init cache server, it will be disabled: %v", err)
 				// go on
 			} else {
-				envs["ACTIONS_CACHE_URL"] = cacheHandler.ExternalURL() + "/"
+				cacheHandler = handler
+				envs["ACTIONS_CACHE_URL"] = handler.ExternalURL() + "/"
 			}
 		}
 	}
@@ -84,11 +90,12 @@ func NewRunner(cfg *config.Config, reg *config.Registration, cli client.Client)
 	envs["GITEA_ACTIONS_RUNNER_VERSION"] = ver.Version()
 
 	return &Runner{
-		name:   reg.Name,
-		cfg:    cfg,
-		client: cli,
-		labels: ls,
-		envs:   envs,
+		name:         reg.Name,
+		cfg:          cfg,
+		client:       cli,
+		labels:       ls,
+		envs:         envs,
+		cacheHandler: cacheHandler,
 	}
 }
 
@@ -199,6 +206,21 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 		giteaRuntimeToken = preset.Token
 	}
 	r.envs["ACTIONS_RUNTIME_TOKEN"] = giteaRuntimeToken
+	// Mask the runtime token so it cannot be echoed in user step output; it is
+	// now also the cache server's bearer credential and leaking it would let
+	// any reader of the log impersonate this job against the cache.
+	if giteaRuntimeToken != "" {
+		task.Secrets["ACTIONS_RUNTIME_TOKEN"] = giteaRuntimeToken
+	}
+
+	// Register this job's runtime token with the local cache server so that
+	// cache requests from the job container can authenticate. The credential
+	// is removed when the task finishes, so a leaked token stops working as
+	// soon as the job ends rather than remaining valid for the runner's
+	// lifetime. Only applies to the embedded cache server; when the operator
+	// points the runner at an external cache via cfg.Cache.ExternalServer, it
+	// is that server's responsibility to authenticate requests.
+	defer r.registerCacheForTask(giteaRuntimeToken, preset.Repository, reporter)()
 
 	eventJSON, err := json.Marshal(preset.Event)
 	if err != nil {
@@ -278,6 +300,82 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 	return execErr
 }
 
+// registerCacheForTask tells the cache server to accept requests authenticated
+// with the given runtime token for the duration of this task. Returns a
+// function the caller must invoke (typically via defer) to revoke the
+// credential when the task finishes.
+//
+// Three modes:
+//   - Embedded handler: register in-process via RegisterJob.
+//   - external_server + external_secret: POST to the remote server's
+//     /_internal/register, defer a POST to /_internal/revoke. This is what
+//     enables full per-job auth and repo scoping over the network.
+//   - external_server alone (no secret): no-op revoker. The remote server is
+//     in legacy openMode and ignores the runtime token; trust is at the
+//     network layer.
+//
+// Safe with an empty token (older Gitea did not issue one).
+func (r *Runner) registerCacheForTask(token, repo string, reporter *report.Reporter) func() {
+	if token == "" {
+		return func() {}
+	}
+	if r.cacheHandler != nil {
+		return r.cacheHandler.RegisterJob(token, repo)
+	}
+	if r.cfg.Cache.ExternalServer != "" && r.cfg.Cache.ExternalSecret != "" {
+		return r.registerExternalCacheJob(token, repo, reporter)
+	}
+	return func() {}
+}
+
+// registerExternalCacheJob POSTs to the remote cache-server's control-plane.
+// Failures are logged but not fatal: if registration fails, the cache will
+// 401 the job's requests — better than failing the whole task for a cache
+// outage. The warning is mirrored to the job log so users can see why their
+// cache calls 401, instead of having to read the runner daemon's stderr.
+func (r *Runner) registerExternalCacheJob(token, repo string, reporter *report.Reporter) func() {
+	base := strings.TrimRight(r.cfg.Cache.ExternalServer, "/")
+	if err := postInternalCache(base+"/_internal/register", r.cfg.Cache.ExternalSecret,
+		map[string]string{"token": token, "repo": repo}); err != nil {
+		log.Warnf("cache external_server register failed (%s): %v", base, err)
+		if reporter != nil {
+			reporter.Logf("::warning::cache external_server register failed (%s): %v — cache requests from this job will be unauthenticated and likely return 401", base, err)
+		}
+	}
+	return func() {
+		if err := postInternalCache(base+"/_internal/revoke", r.cfg.Cache.ExternalSecret,
+			map[string]string{"token": token}); err != nil {
+			log.Warnf("cache external_server revoke failed (%s): %v", base, err)
+			if reporter != nil {
+				reporter.Logf("::warning::cache external_server revoke failed (%s): %v", base, err)
+			}
+		}
+	}
+}
+
+func postInternalCache(url, secret string, body map[string]string) error {
+	buf, err := json.Marshal(body)
+	if err != nil {
+		return err
+	}
+	req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(buf))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Authorization", "Bearer "+secret)
+	req.Header.Set("Content-Type", "application/json")
+	client := &http.Client{Timeout: 5 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode/100 != 2 {
+		return fmt.Errorf("status %d", resp.StatusCode)
+	}
+	return nil
+}
+
 func (r *Runner) RunningCount() int64 {
 	return r.runningCount.Load()
 }