feat: Add configurable permissions for Actions automatic tokens

cmd/hook.go

@@ -195,6 +195,7 @@ Gitea or set your environment appropriately.`, "")
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
 	actionPerm, _ := strconv.Atoi(os.Getenv(repo_module.EnvActionPerm))
+	actionsTaskID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionsTaskID), 10, 64)
 
 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@@ -205,6 +206,7 @@ Gitea or set your environment appropriately.`, "")
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
 		ActionPerm:                      actionPerm,
+		ActionsTaskID:                   actionsTaskID,
 	}
 
 	scanner := bufio.NewScanner(os.Stdin)

models/actions/config.go

@@ -0,0 +1,44 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
+)
+
+// GetOrgActionsConfig loads the ActionsConfig for an organization from user settings
+// It returns a default config if no setting is found
+func GetOrgActionsConfig(ctx context.Context, orgID int64) (*repo_model.ActionsConfig, error) {
+	val, err := user_model.GetUserSetting(ctx, orgID, "actions.config")
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &repo_model.ActionsConfig{}
+	if val == "" {
+		// Return defaults if no config exists
+		cfg.CrossRepoMode = repo_model.ActionsCrossRepoModeAll
+		return cfg, nil
+	}
+
+	if err := json.Unmarshal([]byte(val), cfg); err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
+}
+
+// SetOrgActionsConfig saves the ActionsConfig for an organization to user settings
+func SetOrgActionsConfig(ctx context.Context, orgID int64, cfg *repo_model.ActionsConfig) error {
+	bs, err := json.Marshal(cfg)
+	if err != nil {
+		return err
+	}
+
+	return user_model.SetUserSetting(ctx, orgID, "actions.config", string(bs))
+}

models/actions/run_job.go

@@ -51,6 +51,10 @@ type ActionRunJob struct {
 	ConcurrencyGroup  string `xorm:"index(repo_concurrency) NOT NULL DEFAULT ''"` // evaluated concurrency.group
 	ConcurrencyCancel bool   `xorm:"NOT NULL DEFAULT FALSE"`                      // evaluated concurrency.cancel-in-progress
 
+	// TokenPermissions stores the parsed permissions from the workflow YAML (workflow + job level, clamped by repo max settings)
+	// This is JSON-encoded repo_model.ActionsTokenPermissions
+	TokenPermissions string `xorm:"TEXT"`
+
 	Started timeutil.TimeStamp
 	Stopped timeutil.TimeStamp
 	Created timeutil.TimeStamp `xorm:"created"`

models/migrations/migrations.go

@@ -399,6 +399,7 @@ func prepareMigrationTasks() []*migration {
 
 		newMigration(323, "Add support for actions concurrency", v1_26.AddActionsConcurrency),
 		newMigration(324, "Fix closed milestone completeness for milestones with no issues", v1_26.FixClosedMilestoneCompleteness),
+		newMigration(325, "Add TokenPermissions column to ActionRunJob", v1_26.AddTokenPermissionsToActionRunJob),
 	}
 	return preparedMigrations
 }

models/migrations/v1_26/v325.go

@@ -0,0 +1,15 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_26
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddTokenPermissionsToActionRunJob(x *xorm.Engine) error {
+	type ActionRunJob struct {
+		TokenPermissions string `xorm:"TEXT"`
+	}
+	return x.Sync(new(ActionRunJob))
+}

models/perm/access/repo_permission.go

@@ -104,6 +104,7 @@ func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {
 }
 
 func (p *Permission) SetUnitsWithDefaultAccessMode(units []*repo_model.RepoUnit, mode perm_model.AccessMode) {
+	p.AccessMode = mode
 	p.units = units
 	p.unitsMode = make(map[unit.Type]perm_model.AccessMode)
 	for _, u := range p.units {
@@ -268,37 +269,141 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
 		return perm, err
 	}
 
-	var accessMode perm_model.AccessMode
+	if err := repo.LoadUnits(ctx); err != nil {
+		return perm, err
+	}
+
+	if err := repo.LoadOwner(ctx); err != nil {
+		return perm, err
+	}
+
+	actionsUnit, err := repo.GetUnit(ctx, unit.TypeActions)
+	if err != nil {
+		// If Actions unit doesn't exist, return empty permission
+		if repo_model.IsErrUnitTypeNotExist(err) {
+			return perm, nil
+		}
+		return perm, err
+	}
+	actionsCfg := actionsUnit.ActionsConfig()
+
 	if task.RepoID != repo.ID {
 		taskRepo, exist, err := db.GetByID[repo_model.Repository](ctx, task.RepoID)
 		if err != nil || !exist {
 			return perm, err
 		}
-		actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
-		if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate {
+
+		// Check Organization Cross-Repo Access Policy
+		if err := repo.LoadOwner(ctx); err != nil {
+			return perm, err
+		}
+
+		isSameOrg := false
+		if repo.OwnerID == taskRepo.OwnerID && repo.Owner.IsOrganization() {
+			isSameOrg = true
+			orgCfg, err := actions_model.GetOrgActionsConfig(ctx, repo.OwnerID)
+			if err != nil {
+				return perm, err
+			}
+			if !orgCfg.IsRepoAllowedCrossAccess(repo.ID) {
+				// Deny access if cross-repo is disabled or not allowed for this specific repo
+				return perm, nil
+			}
+		}
+
+		if (!isSameOrg && !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID)) || !taskRepo.IsPrivate {
 			// The task repo can access the current repo only if the task repo is private and
 			// the owner of the task repo is a collaborative owner of the current repo.
 			// FIXME should owner's visibility also be considered here?
+			//
+			// If not, we check if they are in the same org and cross-repo access is allowed.
+			// If allowed, we grant Read Access (consistent with old behavior and package access).
+			// If NOT allowed (checked above for sameOrg), we fall through to here.
 
-			// check permission like simple user but limit to read-only
-			perm, err = GetUserRepoPermission(ctx, repo, user_model.NewActionsUser())
-			if err != nil {
-				return perm, err
+			if !isSameOrg && repo.IsPrivate {
+				return perm, nil
+			}
+		}
+
+		// Cross-repo access is always read-only
+		perm.SetUnitsWithDefaultAccessMode(repo.Units, perm_model.AccessModeRead)
+		return perm, nil
+	}
+
+	// First check if job has explicit permissions stored from workflow YAML
+	var effectivePerms repo_model.ActionsTokenPermissions
+	var jobLoaded bool
+
+	// Only attempt to load job if JobID is set (non-zero)
+	if task.JobID != 0 {
+		if err := task.LoadJob(ctx); err == nil {
+			jobLoaded = true
+		} else {
+			// If loading job fails (e.g. resource doesn't exist), log it but fall back to repo permissions
+			// This prevents 500 errors if the task has a broken job link
+			log.Warn("GetActionsUserRepoPermission: failed to load job %d for task %d: %v", task.JobID, task.ID, err)
+		}
+	}
+
+	if jobLoaded && task.Job != nil && task.Job.TokenPermissions != "" {
+		// Use permissions parsed from workflow YAML (already clamped by repo max settings during insertion)
+		effectivePerms, err = repo_model.UnmarshalTokenPermissions(task.Job.TokenPermissions)
+		if err != nil {
+			// Fall back to repository settings if unmarshal fails
+			// If following org config, we need to load it
+			if !actionsCfg.OverrideOrgConfig && repo.Owner.IsOrganization() {
+				orgCfg, err := actions_model.GetOrgActionsConfig(ctx, repo.OwnerID)
+				if err != nil {
+					log.Error("GetOrgActionsConfig: %v", err)
+					effectivePerms = actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest) // Fallback to repo config on error
+				} else {
+					effectivePerms = orgCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest)
+					effectivePerms = orgCfg.ClampPermissions(effectivePerms)
+				}
+			} else {
+				effectivePerms = actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest)
+				effectivePerms = actionsCfg.ClampPermissions(effectivePerms)
 			}
-			perm.AccessMode = min(perm.AccessMode, perm_model.AccessModeRead)
-			return perm, nil
 		}
-		accessMode = perm_model.AccessModeRead
-	} else if task.IsForkPullRequest {
-		accessMode = perm_model.AccessModeRead
 	} else {
-		accessMode = perm_model.AccessModeWrite
+		// No workflow permissions or job not found, use repository settings
+		if !actionsCfg.OverrideOrgConfig && repo.Owner.IsOrganization() {
+			orgCfg, err := actions_model.GetOrgActionsConfig(ctx, repo.OwnerID)
+			if err != nil {
+				log.Error("GetOrgActionsConfig: %v", err)
+				effectivePerms = actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest) // Fallback to repo config on error
+				effectivePerms = actionsCfg.ClampPermissions(effectivePerms)
+			} else {
+				effectivePerms = orgCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest)
+				effectivePerms = orgCfg.ClampPermissions(effectivePerms)
+			}
+		} else {
+			effectivePerms = actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest)
+			effectivePerms = actionsCfg.ClampPermissions(effectivePerms)
+		}
 	}
 
-	if err := repo.LoadUnits(ctx); err != nil {
-		return perm, err
+	// Set up per-unit access modes based on configured permissions
+	perm.units = repo.Units
+	perm.unitsMode = make(map[unit.Type]perm_model.AccessMode)
+	perm.unitsMode[unit.TypeCode] = effectivePerms.Code
+	perm.unitsMode[unit.TypeIssues] = effectivePerms.Issues
+	perm.unitsMode[unit.TypePullRequests] = effectivePerms.PullRequests
+	perm.unitsMode[unit.TypePackages] = effectivePerms.Packages
+	perm.unitsMode[unit.TypeActions] = effectivePerms.Actions
+	perm.unitsMode[unit.TypeWiki] = effectivePerms.Wiki
+	perm.unitsMode[unit.TypeReleases] = effectivePerms.Releases
+	perm.unitsMode[unit.TypeProjects] = effectivePerms.Projects
+
+	// Set base access mode to the maximum of all unit permissions
+	maxMode := perm_model.AccessModeNone
+	for _, mode := range perm.unitsMode {
+		if mode > maxMode {
+			maxMode = mode
+		}
 	}
-	perm.SetUnitsWithDefaultAccessMode(repo.Units, accessMode)
+	perm.AccessMode = maxMode
+
 	return perm, nil
 }