The runner previously treated secrets named DOCKER_USERNAME and DOCKER_PASSWORD as implicit Docker pull credentials, attaching them to every job- and step-container image pull unconditionally. Since these credentials carry no registry information, they were even sent to Docker Hub when pulling public images, causing those pulls to fail with authentication errors. This behavior has been removed.
Workflows or runner setups that relied on DOCKER_USERNAME / DOCKER_PASSWORD being implicitly used for Docker image pulls must migrate to an explicit authentication mechanism:
For private job container images, use container.credentials:
For private service container images, use service credentials.
For private uses: docker://... or private Docker actions, configure Docker authentication in the runner environment before the job starts (e.g. run docker login on the runner host).
DOCKER_USERNAME and DOCKER_PASSWORD can still be used as ordinary workflow secrets, for example with docker/login-action before pushing images.
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [gitea/runner](https://gitea.com/gitea/runner) | major | `1.0.8` → `2.0.0` |
---
### Release Notes
<details>
<summary>gitea/runner (gitea/runner)</summary>
### [`v2.0.0`](https://gitea.com/gitea/runner/releases/tag/v2.0.0)
[Compare Source](https://gitea.com/gitea/runner/compare/v1.0.8...v2.0.0)
#### ⚠️ Breaking changes
##### `DOCKER_USERNAME` / `DOCKER_PASSWORD` are no longer used implicitly for image pulls
See <https://gitea.com/gitea/runner/pulls/1007>
The runner previously treated secrets named `DOCKER_USERNAME` and `DOCKER_PASSWORD` as implicit Docker pull credentials, attaching them to every job- and step-container image pull unconditionally. Since these credentials carry no registry information, they were even sent to Docker Hub when pulling public images, causing those pulls to fail with authentication errors. This behavior has been removed.
Workflows or runner setups that relied on `DOCKER_USERNAME` / `DOCKER_PASSWORD` being implicitly used for Docker image pulls must migrate to an explicit authentication mechanism:
- For private **job container** images, use `container.credentials`:
```yaml
jobs:
build:
container:
image: registry.example.com/image:tag
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
```
- For private **service container** images, use service `credentials`.
- For private `uses: docker://...` or private Docker actions, configure Docker authentication in the runner environment before the job starts (e.g. run `docker login` on the runner host).
`DOCKER_USERNAME` and `DOCKER_PASSWORD` can still be used as ordinary workflow secrets, for example with `docker/login-action` before pushing images.
#### Features
- Shallow clone action repositories — <https://gitea.com/gitea/runner/pulls/1053>
- Enable `jobs.<job_id>.timeout-minutes` and `jobs.<job_id>.continue-on-error` — <https://gitea.com/gitea/runner/pulls/1032>
- Add optional `runner.post_task_script` hook after task cleanup — <https://gitea.com/gitea/runner/pulls/1026>
- Support `ssh://` action URLs — <https://gitea.com/gitea/runner/pulls/1035>
- IPv6 options for network container creation — <https://gitea.com/gitea/runner/pulls/1029>
- Complete runner-side cancellation handling — <https://gitea.com/gitea/runner/pulls/1016>
- Upload job summary when supported — <https://gitea.com/gitea/runner/pulls/917>
#### Bug fixes
- Composite nested `uses` clone token — <https://gitea.com/gitea/runner/pulls/1041>
- Namespace local docker action image tags per repository — <https://gitea.com/gitea/runner/pulls/1051>
- Run `always()`/`cancelled()` and post steps correctly on cancellation — <https://gitea.com/gitea/runner/pulls/1043>
- Guard `SetJobError` against missing job-error container — <https://gitea.com/gitea/runner/pulls/1050>
- Interpolate job `container.volume` — <https://gitea.com/gitea/runner/pulls/1036>
- Kill Unix step process group on cancel to avoid hang — <https://gitea.com/gitea/runner/pulls/1025>
- Prevent loss of step log output at end of step — <https://gitea.com/gitea/runner/pulls/1028>
- Bound host-environment cleanup and reclaim leaked scratch dirs — <https://gitea.com/gitea/runner/pulls/1024>
- Do not update cached actions with stale origin URL — <https://gitea.com/gitea/runner/pulls/1014>
#### Build & docs
- Cover Windows Go files in build — <https://gitea.com/gitea/runner/pulls/1052>
- Improve cache documentation — <https://gitea.com/gitea/runner/pulls/1034>
- Update docker-images docs — <https://gitea.com/gitea/runner/pulls/1020>
#### Dependencies
- Update `github.com/moby/moby/client` to v0.5.0 — <https://gitea.com/gitea/runner/pulls/1049>
- Update `github.com/docker/cli` to v29.6.0 — <https://gitea.com/gitea/runner/pulls/1045>
- Update docker docker tag to v29.6.0 — <https://gitea.com/gitea/runner/pulls/1044>
- Update `actions/checkout` action to v7 — <https://gitea.com/gitea/runner/pulls/1042>
- Update `go.etcd.io/bbolt` to v1.5.0 — <https://gitea.com/gitea/runner/pulls/1040>
- Update `golang.org/x/term` to v0.44.0 — <https://gitea.com/gitea/runner/pulls/1031>
- Update alpine docker tag to v3.24 — <https://gitea.com/gitea/runner/pulls/1030>
- Update `golang.org/x/crypto` to v0.52.0 — <https://gitea.com/gitea/runner/pulls/1027>
- Update docker docker tag to v29.5.3 — <https://gitea.com/gitea/runner/pulls/1021>
- Update `golang.org/x/sys` to v0.46.0 — <https://gitea.com/gitea/runner/pulls/1019>
- Update `github.com/docker/cli` to v29.5.3 — <https://gitea.com/gitea/runner/pulls/1018>
- Update `github.com/opencontainers/selinux` to v1.15.1 — <https://gitea.com/gitea/runner/pulls/1017>
- Update `golang.org/x/sys` to v0.45.0 — <https://gitea.com/gitea/runner/pulls/1012>
- Update `code.gitea.io/actions-proto-go` to v0.5.0 — <https://gitea.com/gitea/runner/pulls/1009>
**Full changelog**: <https://gitea.com/gitea/runner/compare/v1.0.8...v2.0.0>
🤖 Release notes compiled by Opus 4.8.
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI0OS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
1.0.8→2.0.0Release Notes
gitea/runner (gitea/runner)
v2.0.0Compare Source
⚠️ Breaking changes
DOCKER_USERNAME/DOCKER_PASSWORDare no longer used implicitly for image pullsSee https://gitea.com/gitea/runner/pulls/1007
The runner previously treated secrets named
DOCKER_USERNAMEandDOCKER_PASSWORDas implicit Docker pull credentials, attaching them to every job- and step-container image pull unconditionally. Since these credentials carry no registry information, they were even sent to Docker Hub when pulling public images, causing those pulls to fail with authentication errors. This behavior has been removed.Workflows or runner setups that relied on
DOCKER_USERNAME/DOCKER_PASSWORDbeing implicitly used for Docker image pulls must migrate to an explicit authentication mechanism:container.credentials:credentials.uses: docker://...or private Docker actions, configure Docker authentication in the runner environment before the job starts (e.g. rundocker loginon the runner host).DOCKER_USERNAMEandDOCKER_PASSWORDcan still be used as ordinary workflow secrets, for example withdocker/login-actionbefore pushing images.Features
jobs.<job_id>.timeout-minutesandjobs.<job_id>.continue-on-error— https://gitea.com/gitea/runner/pulls/1032runner.post_task_scripthook after task cleanup — https://gitea.com/gitea/runner/pulls/1026ssh://action URLs — https://gitea.com/gitea/runner/pulls/1035Bug fixes
usesclone token — https://gitea.com/gitea/runner/pulls/1041always()/cancelled()and post steps correctly on cancellation — https://gitea.com/gitea/runner/pulls/1043SetJobErroragainst missing job-error container — https://gitea.com/gitea/runner/pulls/1050container.volume— https://gitea.com/gitea/runner/pulls/1036Build & docs
Dependencies
github.com/moby/moby/clientto v0.5.0 — https://gitea.com/gitea/runner/pulls/1049github.com/docker/clito v29.6.0 — https://gitea.com/gitea/runner/pulls/1045actions/checkoutaction to v7 — https://gitea.com/gitea/runner/pulls/1042go.etcd.io/bboltto v1.5.0 — https://gitea.com/gitea/runner/pulls/1040golang.org/x/termto v0.44.0 — https://gitea.com/gitea/runner/pulls/1031golang.org/x/cryptoto v0.52.0 — https://gitea.com/gitea/runner/pulls/1027golang.org/x/systo v0.46.0 — https://gitea.com/gitea/runner/pulls/1019github.com/docker/clito v29.5.3 — https://gitea.com/gitea/runner/pulls/1018github.com/opencontainers/selinuxto v1.15.1 — https://gitea.com/gitea/runner/pulls/1017golang.org/x/systo v0.45.0 — https://gitea.com/gitea/runner/pulls/1012code.gitea.io/actions-proto-goto v0.5.0 — https://gitea.com/gitea/runner/pulls/1009Full changelog: https://gitea.com/gitea/runner/compare/v1.0.8...v2.0.0
🤖 Release notes compiled by Opus 4.8.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.