Skip to content

feat: Add configurable permissions for Actions automatic tokens #36173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Excellencedev wants to merge 126 commits into
base: main
Choose a base branch
from
Draft

feat: Add configurable permissions for Actions automatic tokens #36173

Excellencedev wants to merge 126 commits into from

Conversation

@Excellencedev
Copy link

@Excellencedev Excellencedev commented Dec 17, 2025
edited
Loading

Overview

This PR introduces granular permission controls for Gitea Actions tokens (GITEA_TOKEN), aligning Gitea's security model with GitHub Actions standards while maintaining compatibility with Gitea's unique repository unit system.

It addresses the need for finer access control by allowing administrators and repository owners to define default token permissions, set maximum permission ceilings, and control cross-repository access within organizations.

Key Features

1. Granular Token Permissions
  • Standard Keyword Support: Implements support for the permissions: keyword in workflow and job YAML files (e.g., contents: read, issues: write).
  • Permission Modes:
    • Permissive: Default write access for most units (backwards compatible).
    • Restricted: Default read-only access for contents and packages, with no access to other units.
    • Custom: Allows defining specific default levels for each unit type (Code, Issues, PRs, Packages, etc.).
  • Clamping Logic: Workflow-defined permissions are automatically "clamped" by repository or organization-level maximum settings. Workflows cannot escalate their own permissions beyond these limits.
2. Organization & Repository Settings
  • Settings UI: Added new settings pages at both Organization and Repository levels to manage Actions token defaults and maximums.
  • Inheritance: Repositories can be configured to "Follow organization-level configuration," simplifying management across large organizations.
  • Cross-Repository Access: Added a policy to control whether Actions workflows can access other repositories or packages within the same organization. This can be set to "None," "All," or restricted to a "Selected" list of repositories.
3. Security Hardening
  • Fork Pull Request Protection: Tokens for workflows triggered by pull requests from forks are strictly enforced as read-only, regardless of repository settings.
  • Package Access: Actions tokens can now only access packages explicitly linked to a repository, with cross-repo access governed by the organization's security policy.
  • Git Hook Integration: Propagates Actions Task IDs to git hooks to ensure that pushes performed by Actions tokens respect the specific permissions granted at runtime.
4. Technical Implementation
  • Permission Persistence: Parsed permissions are calculated at job creation and stored in the action_run_job table. This ensures the token's authority is deterministic throughout the job's lifecycle.
  • Parsing Priority: Implemented a priority system in the YAML parser where the broad contents scope is applied first, allowing granular scopes like code or releases to override it for precise control.
  • Re-runs: Permissions are re-evaluated during a job re-run to incorporate any changes made to repository settings in the interim.

How to Test

  1. Unit Tests: Run go test ./services/actions/... and go test ./models/repo/... to verify parsing logic and permission clamping.
  2. Integration Tests: Comprehensive tests have been added to tests/integration/actions_job_token_test.go covering:
    • Permissive vs. Restricted mode behavior.
    • YAML permissions: keyword evaluation.
    • Organization cross-repo access policies.
    • Resource access (Git, API, and Packages) under various permission configs.
  3. Manual Verification:
    • Navigate to Site/Org/Repo Settings -> Actions -> General.
    • Change "Default Token Permissions" and verify that newly triggered workflows reflect these changes in their GITEA_TOKEN capabilities.
    • Attempt a cross-repo API call from an Action and verify the Org policy is enforced.

Documentation

Added a PR in gitea's docs for this : https://gitea.com/gitea/docs/pulls/318

/fixes #24635
/claim #24635

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 17, 2025
@github-actions github-actions bot added modifies/translation modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files labels Dec 17, 2025
@Excellencedev
Copy link
Author

Excellencedev commented Dec 17, 2025

@lunny @wxiaoguang Please review this

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 17, 2025

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 17, 2025

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@silverwind Please review

@lunny lunny requested a review from Zettat123 December 17, 2025 16:53
@silverwind
Copy link
Member

silverwind commented Dec 17, 2025

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 17, 2025

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

No problem

Zettat123
Zettat123 reviewed Dec 17, 2025
View reviewed changes
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 17, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

@Zettat123
Copy link
Contributor

Zettat123 commented Dec 17, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.

silverwind
silverwind reviewed Dec 18, 2025
View reviewed changes
@silverwind
Copy link
Member

silverwind commented Dec 18, 2025
edited
Loading

Issues I see on this screenshot:

image
  • Header text is black on dark theme
  • Contrast on light text is too low

I can probably help fix those, the first one may be a missing override of the fomantic CSS.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 18, 2025

@Zettat123 @silverwind Pls give me a few hours(15-20 hours) and this PR will be ready to go
I will make sure to address all your comments and make sure I do everything from the issue
Drafting until then
When it is done, I will undraft it and notify you

@Excellencedev Excellencedev marked this pull request as draft December 18, 2025 01:53
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@Excellencedev
Copy link
Author

Excellencedev commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

I don't know. Reviewers decide.

@Zettat123
Copy link
Contributor

Zettat123 commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

I reviewed both PRs, but did not receive responses to my comments in #36113. If @Excellencedev will address the review comments, I think we should keep this PR.

@silverwind
Copy link
Member

silverwind commented Dec 18, 2025
edited
Loading

Imho, the only sensible thing we can do is race these 2 PRs.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 18, 2025
edited
Loading

Adressed most your comments in my latest commit, now i just need to make sure i fully implement the proposal in #24635

Zettat123
Zettat123 reviewed Dec 18, 2025
View reviewed changes
@Zettat123
Copy link
Contributor

Zettat123 commented Dec 18, 2025

According to the solution in #24635, I think this PR does not implement:

  • Support configuring the permissions
  • Support configuring access between repositories
  • Private packages can be accessed by Actions only when they have been linked to repositories

@Excellencedev
Copy link
Author

Excellencedev commented Jan 16, 2026

going to work on this weekend 🎉

@Excellencedev
Copy link
Author

Excellencedev commented Jan 16, 2026

@ChristopherHX pls review when you have time for a very rigorous review

@Excellencedev
Copy link
Author

Excellencedev commented Jan 17, 2026

should be good enough for at least aother review

@Excellencedev
Copy link
Author

Excellencedev commented Jan 17, 2026

will remove all the db.insert

@ChristopherHX
Copy link
Contributor

ChristopherHX commented Jan 18, 2026
edited
Loading

Thanks, I think the UI is better structured now

  • I would remove the red star from maximum permission now (this does not look like a required form field)
  • Customize maximum permission is now always enabled after reload / disabling it does not save
    • Org page has a popup that I have unsaved changes if I do this and then press the save button
    • Repo page has no popup
    • The whole maximum permission table is now defect and do not save
      • I wanted to try if I can see org permission restricting the repo override, but couldn't test this
      • Usually an org admin might want to prohibit a repo admin (who is no an org admin) from granting more access than the org allows
        • Both use cases could be useful, e.g. allow more access for selected repos / deny more access
  • stale translation entries needs to be fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind Awaiting requested review from silverwind

@ChristopherHX ChristopherHX Awaiting requested review from ChristopherHX

1 more reviewer

@Zettat123 Zettat123 Zettat123 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

🙋 Bounty claim lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/api This PR adds API routes or modifies them modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin modifies/frontend modifies/go Pull requests that update Go code modifies/migrations modifies/templates This PR modifies the template files topic/gitea-actions related to the actions of Gitea

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Proposal] Support configuring permissions of automatic tokens of Actions jobs

7 participants

@Excellencedev @wxiaoguang @silverwind @Zettat123 @ChristopherHX @lunny @GiteaBot