fix(config): load runner registration token from file on server#3872
Draft
cursor[bot] wants to merge 1 commit into
Draft
fix(config): load runner registration token from file on server#3872cursor[bot] wants to merge 1 commit into
cursor[bot] wants to merge 1 commit into
Conversation
When only registration_token_file (or SEMAPHORE_RUNNER_REGISTRATION_TOKEN_FILE) was set, RunnerRegistrationToken stayed empty so the runner registration API rejected every request. Read the file during ConfigInit and fill the inline token fields when they are still empty so file-based secrets match the runner client and API validation. Co-authored-by: Denis Gukov <fiftin@outlook.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug and impact
If the Semaphore process was configured with only a runner registration token file (
registration_token_file/SEMAPHORE_RUNNER_REGISTRATION_TOKEN_FILE), the token was never applied toRunnerRegistrationToken. The runner registration HTTP handler treats an emptyRunnerRegistrationTokenas invalid, so every registration attempt failed even when the client sent the correct token read from its own copy of the file. This primarily affects deployments that mount Docker/Kubernetes secrets via a*_FILEenvironment variable.Root cause
initRunnerRegistrationToken()(which reads the file intoRunner.RegistrationToken) runs only in the runner CLI (runner start/register), not during generalConfigInitused by the server. The API compares the request body toConfig.RunnerRegistrationToken, which stayed empty when only the file path was configured.Fix
During
ConfigInit, after loading environment and defaults, readRunner.RegistrationTokenFilewhen set and populateRunnerRegistrationTokenandRunner.RegistrationTokenonly when those strings are still empty (so an inline env token continues to take precedence).Validation
go test ./util -count=1(includes new tests for file-only and env-precedence cases).