Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Add configurable permissions for Actions automatic tokens#36173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
Excellencedev wants to merge6 commits intogo-gitea:main
base:main
Choose a base branch
Loading
fromExcellencedev:fix-24635

Conversation

@Excellencedev
Copy link

Summary

ImplementsIssue #24635 - Support configuring permissions of automatic tokens for Actions jobs.

This PR adds the ability to configure the default permissions granted to the GITHUB_TOKEN when running workflow jobs in a repository. Users can now choose between:

  • Permissive mode (default): Workflows have read and write permissions for all scopes (backwards compatible with existing behavior)
  • Restricted mode: Workflows have read-only permissions by default

Changes

Backend

  • ExtendedActionsConfig struct inmodels/repo/repo_unit.go with:

    • ActionsTokenPermissionMode type (permissive/restricted)
    • ActionsTokenPermissions struct for per-unit permissions (Contents, Issues, PullRequests, Packages, Actions, Wiki)
    • Helper methods for getting effective permissions and clamping

  • ModifiedGetActionsUserRepoPermission inmodels/perm/access/repo_permission.go to use configurable per-unit permissions instead of hardcoded access modes

  • AddedUpdateTokenPermissions handler inrouters/web/repo/setting/actions.go

Frontend

  • Added Token Permissions UI section in repository Settings → Actions → General
  • Added locale strings inoptions/locale/locale_en-US.ini

Tests

  • Added unit tests inmodels/repo/repo_unit_test.go for token permission methods
  • Added integration testTestActionsTokenPermissionsModes intests/integration/actions_job_token_test.go

Screenshots

The new Token Permissions section appears in Settings → Actions → General:

  • Radio buttons for Permissive/Restricted mode
  • Warning note about fork PRs always being read-only
Screenshot 2025-12-17 071658

Notes

  • Fork pull requests always receive read-only access regardless of settings (security feature)
  • Default behavior is "permissive" for backwards compatibility
  • No database migration required - settings stored as JSON in existing repo_unit config

Related Issues

Closes#24635
/claim#24635

@GiteaBotGiteaBot added the lgtm/need 2This PR needs two approvals by maintainers to be considered for merging. labelDec 17, 2025
@github-actionsgithub-actionsbot added modifies/translation modifies/goPull requests that update Go code modifies/templatesThis PR modifies the template files labelsDec 17, 2025
@Excellencedev
Copy link
Author

@lunny@wxiaoguang Please review this

@wxiaoguang
Copy link
Contributor

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

Excellencedev reacted with heart emoji

@Excellencedev
Copy link
Author

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@silverwind Please review

@silverwind
Copy link
Member

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

Excellencedev reacted with thumbs up emoji

@Excellencedev
Copy link
Author

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

No problem

@wxiaoguang
Copy link
Contributor

By the way, I see another (older) PR: Feat/actions token permissions#36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win .......@Zettat123

@Zettat123
Copy link
Contributor

By the way, I see another (older) PR: Feat/actions token permissions#36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win .......@Zettat123

This PR doesn't fully implement the proposal in#24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that#36113 implemented these features, but I think its code needs improvement.

Excellencedev reacted with thumbs up emoji

@silverwind
Copy link
Member

silverwind commentedDec 18, 2025
edited
Loading

Issues I see on this screenshot:

image
  • Header text is black on dark theme
  • Contrast on light text is too low

I can probably help fix those, the first one may be a missing override of the fomantic CSS.

@Excellencedev
Copy link
Author

@Zettat123@silverwind Pls give me a few hours(15-20 hours) and this PR will be ready to go
I will make sure to address all your comments and make sure I do everything from the issue
Drafting until then
When it is done, I will undraft it and notify you

@ExcellencedevExcellencedev marked this pull request as draftDecember 18, 2025 01:53
@wxiaoguang
Copy link
Contributor

By the way, I see another (older) PR: Feat/actions token permissions#36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win .......@Zettat123

This PR doesn't fully implement the proposal in#24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that#36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions#36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@Excellencedev
Copy link
Author

By the way, I see another (older) PR: Feat/actions token permissions#36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win .......@Zettat123

This PR doesn't fully implement the proposal in#24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that#36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions#36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

@wxiaoguang
Copy link
Contributor

By the way, I see another (older) PR: Feat/actions token permissions#36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win .......@Zettat123

This PR doesn't fully implement the proposal in#24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that#36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions#36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

I don't know. Reviewers decide.

@Zettat123
Copy link
Contributor

By the way, I see another (older) PR: Feat/actions token permissions#36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win .......@Zettat123

This PR doesn't fully implement the proposal in#24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that#36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions#36113" came first, and it is more complete, why not respect the first author, but only review this second one?

I reviewed both PRs, but did not receive responses to my comments in#36113. If@Excellencedev will address the review comments, I think we should keep this PR.

Excellencedev reacted with thumbs up emoji

@silverwind
Copy link
Member

silverwind commentedDec 18, 2025
edited
Loading

Imho, the only sensible thing we can do is race these 2 PRs.

Excellencedev and Zettat123 reacted with thumbs up emoji

@Excellencedev
Copy link
Author

Excellencedev commentedDec 18, 2025
edited
Loading

Adressed most your comments in my latest commit, now i just need to make sure i fully implement the proposal in#24635

// DefaultTokenPermissions defines the default permissions for workflow tokens
DefaultTokenPermissions*ActionsTokenPermissions`json:"default_token_permissions,omitempty"`
// MaxTokenPermissions defines the maximum permissions (cannot be exceeded by workflow permissions keyword)
MaxTokenPermissions*ActionsTokenPermissions`json:"max_token_permissions,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I didn't find a form on the settings page to configureMaxTokenPermissions, is it unused?

@Zettat123
Copy link
Contributor

According to the solution in#24635, I think this PR does not implement:

  • Support configuring the permissions
  • Support configuring access between repositories
  • Private packages can be accessed by Actions only when they have been linked to repositories
Excellencedev reacted with thumbs up emoji

@Excellencedev
Copy link
Author

According to the solution in#24635, I think this PR does not implement:

  • Support configuring the permissions
  • Support configuring access between repositories
  • Private packages can be accessed by Actions only when they have been linked to repositories

Ok no problem. I'm working on it

Zettat123 reacted with thumbs up emoji

@github-actionsgithub-actionsbot added the modifies/apiThis PR adds API routes or modifies them labelDec 18, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@silverwindsilverwindsilverwind left review comments

+1 more reviewer

@Zettat123Zettat123Zettat123 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

🙋 Bounty claimlgtm/need 2This PR needs two approvals by maintainers to be considered for merging.modifies/apiThis PR adds API routes or modifies themmodifies/goPull requests that update Go codemodifies/templatesThis PR modifies the template filesmodifies/translation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Proposal] Support configuring permissions of automatic tokens of Actions jobs

5 participants

@Excellencedev@wxiaoguang@silverwind@Zettat123@GiteaBot
[8]ページ先頭
©2009-2025 Movatter.jp