Fix various bugs (#35684) (#35696)

Backport #35684 by wxiaoguang
2025-10-27 01:24:09 -04:00 · 2025-10-19 02:26:03 +08:00
parent f71df88a6b
commit 4af1d58c86
15 changed files with 98 additions and 86 deletions
--- a/services/secrets/validation.go
+++ b/services/secrets/validation.go
@@ -5,21 +5,29 @@ package secrets

 import (
 	"regexp"
+	"strings"
+	"sync"

 	"code.gitea.io/gitea/modules/util"
 )

+// https://docs.github.com/en/actions/learn-github-actions/variables#naming-conventions-for-configuration-variables
 // https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
-var (
-	namePattern            = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
-	forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
-
-	ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
-)
+var globalVars = sync.OnceValue(func() (ret struct {
+	namePattern, forbiddenPrefixPattern *regexp.Regexp
+},
+) {
+	ret.namePattern = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
+	ret.forbiddenPrefixPattern = regexp.MustCompile("(?i)^GIT(EA|HUB)_")
+	return ret
+})

 func ValidateName(name string) error {
-	if !namePattern.MatchString(name) || forbiddenPrefixPattern.MatchString(name) {
-		return ErrInvalidName
+	vars := globalVars()
+	if !vars.namePattern.MatchString(name) ||
+		vars.forbiddenPrefixPattern.MatchString(name) ||
+		strings.EqualFold(name, "CI") /* CI is always set to true in GitHub Actions*/ {
+		return util.NewInvalidArgumentErrorf("invalid variable or secret name")
 	}
 	return nil
 }