feat: Add configurable permissions for Actions automatic tokens #36173
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/translation
modifies/go
|
@lunny @wxiaoguang Please review this |
|
Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review. |
@silverwind Please review |
|
I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly. |
No problem |
|
By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code. What are the differences? Which PR would win ....... @Zettat123 |
This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization) It seems that #36113 implemented these features, but I think its code needs improvement. |
|
Issues I see on this screenshot: 
I can probably help fix those, the first one may be a missing override of the fomantic CSS. |
|
@Zettat123 @silverwind Pls give me a few hours(15-20 hours) and this PR will be ready to go |
But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one? |
@wxiaoguang should i close my pr ? |
I don't know. Reviewers decide. |
I reviewed both PRs, but did not receive responses to my comments in #36113. If @Excellencedev will address the review comments, I think we should keep this PR. |
|
Imho, the only sensible thing we can do is race these 2 PRs. |
|
Adressed most your comments in my latest commit, now i just need to make sure i fully implement the proposal in #24635 |
|
According to the solution in #24635, I think this PR does not implement:
|
Ok no problem. I'm working on it |
github-actions
bot
added
the
modifies/api
|
@Zettat123 My PR is now ready for review ! |
| } | ||
|
|
||
| // HasRead checks if the permission has read access for the given scope | ||
| func (p ActionsTokenPermissions) HasRead(scope string) bool { |
There was a problem hiding this comment.
HasRead and HasWrite can be combined into a single function like
func (p ActionsTokenPermissions) HasAccess(scope string, required perm.AccessMode) bool {
var mode perm.AccessMode
switch scope {
case "actions":
mode = p.Actions
case "contents":
mode = p.Contents
case "issues":
mode = p.Issues
case "packages":
mode = p.Packages
case "pull_requests":
mode = p.PullRequests
case "wiki":
mode = p.Wiki
}
return mode >= required
}| @@ -0,0 +1,43 @@ | |||
| // Copyright 2024 The Gitea Authors. All rights reserved. | |||
There was a problem hiding this comment.
Should be 2025. Please also check other files.
| } | ||
| } | ||
|
|
||
| // 3. Fallthrough to GetActionsUserRepoPermission |
There was a problem hiding this comment.
Is this a TODO? Should we check the permission from GetActionsUserRepoPermission?
|
I got a 500 Error on 
|
5 participants
Summary
Implements Issue #24635 - Support configuring permissions of automatic tokens for Actions jobs.
This PR adds the ability to configure the default permissions granted to the GITHUB_TOKEN when running workflow jobs in a repository. Users can now choose between:
Changes
Backend
Extended
ActionsConfigstruct inmodels/repo/repo_unit.gowith:ActionsTokenPermissionModetype (permissive/restricted)ActionsTokenPermissionsstruct for per-unit permissions (Contents, Issues, PullRequests, Packages, Actions, Wiki)Modified
GetActionsUserRepoPermissioninmodels/perm/access/repo_permission.goto use configurable per-unit permissions instead of hardcoded access modesAdded
UpdateTokenPermissionshandler inrouters/web/repo/setting/actions.goFrontend
options/locale/locale_en-US.iniTests
models/repo/repo_unit_test.gofor token permission methodsTestActionsTokenPermissionsModesintests/integration/actions_job_token_test.goScreenshots
The new Token Permissions section appears in Settings → Actions → General:
Notes
Related Issues
Closes #24635
/claim #24635