feat: Add configurable permissions for Actions automatic tokens

[Excellencedev]

Overview

This PR introduces granular permission controls for Gitea Actions tokens (GITEA_TOKEN), aligning Gitea's security model with GitHub Actions standards while maintaining compatibility with Gitea's unique repository unit system.

It addresses the need for finer access control by allowing administrators and repository owners to define default token permissions, set maximum permission ceilings, and control cross-repository access within organizations.

Key Features

1. Granular Token Permissions

• Standard Keyword Support: Implements support for the permissions: keyword in workflow and job YAML files (e.g., contents: read, issues: write).
• Permission Modes:
  • Permissive: Default write access for most units (backwards compatible).
  • Restricted: Default read-only access for contents and packages, with no access to other units.
  • Custom: Allows defining specific default levels for each unit type (Code, Issues, PRs, Packages, etc.).EDIT removed UI was confusing
• Clamping Logic: Workflow-defined permissions are automatically "clamped" by repository or organization-level maximum settings. Workflows cannot escalate their own permissions beyond these limits.

2. Organization & Repository Settings

• Settings UI: Added new settings pages at both Organization and Repository levels to manage Actions token defaults and maximums.
• Inheritance: Repositories can be configured to "Follow organization-level configuration," simplifying management across large organizations.
• Cross-Repository Access: Added a policy to control whether Actions workflows can access other repositories or packages within the same organization. This can be set to "None," "All," or restricted to a "Selected" list of repositories.

3. Security Hardening

• Fork Pull Request Protection: Tokens for workflows triggered by pull requests from forks are strictly enforced as read-only, regardless of repository settings.
• Package Access: Actions tokens can now only access packages explicitly linked to a repository, with cross-repo access governed by the organization's security policy. EDIT removed feat: Add configurable permissions for Actions automatic tokens #36173 (comment)
• Git Hook Integration: Propagates Actions Task IDs to git hooks to ensure that pushes performed by Actions tokens respect the specific permissions granted at runtime.

4. Technical Implementation

• Permission Persistence: Parsed permissions are calculated at job creation and stored in the action_run_job table. This ensures the token's authority is deterministic throughout the job's lifecycle.
• Parsing Priority: Implemented a priority system in the YAML parser where the broad contents scope is applied first, allowing granular scopes like code or releases to override it for precise control.
• Re-runs: Permissions are re-evaluated during a job re-run to incorporate any changes made to repository settings in the interim.

How to Test

1. Unit Tests: Run go test ./services/actions/... and go test ./models/repo/... to verify parsing logic and permission clamping.
2. Integration Tests: Comprehensive tests have been added to tests/integration/actions_job_token_test.go covering:
   • Permissive vs. Restricted mode behavior.
   • YAML permissions: keyword evaluation.
   • Organization cross-repo access policies.
   • Resource access (Git, API, and Packages) under various permission configs.
3. Manual Verification:
   • Navigate to Site/Org/Repo Settings -> Actions -> General.
   • Change "Default Token Permissions" and verify that newly triggered workflows reflect these changes in their GITEA_TOKEN capabilities.
   • Attempt a cross-repo API call from an Action and verify the Org policy is enforced.

Documentation

Added a PR in gitea's docs for this : https://gitea.com/gitea/docs/pulls/366

UI:

/fixes #24635
/claim #24635

[Excellencedev]

@lunny @wxiaoguang Please review this

[wxiaoguang]

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

[Excellencedev]

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@silverwind Please review

[silverwind]

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

[Excellencedev]

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

No problem

[wxiaoguang]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

[Zettat123]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.

[silverwind]

Issues I see on this screenshot:

• Header text is black on dark theme
• Contrast on light text is too low

I can probably help fix those, the first one may be a missing override of the fomantic CSS.

[Excellencedev]

@Zettat123 @silverwind Pls give me a few hours(15-20 hours) and this PR will be ready to go
I will make sure to address all your comments and make sure I do everything from the issue
Drafting until then
When it is done, I will undraft it and notify you

[wxiaoguang]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

[Excellencedev]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

[wxiaoguang]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

I don't know. Reviewers decide.

[Zettat123]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

I reviewed both PRs, but did not receive responses to my comments in #36113. If @Excellencedev will address the review comments, I think we should keep this PR.

[silverwind]

Imho, the only sensible thing we can do is race these 2 PRs.

[Excellencedev]

Adressed most your comments in my latest commit, now i just need to make sure i fully implement the proposal in #24635

[Zettat123]

According to the solution in #24635, I think this PR does not implement:

• Support configuring the permissions
• Support configuring access between repositories
• Private packages can be accessed by Actions only when they have been linked to repositories

[Excellencedev]

According to the solution in #24635, I think this PR does not implement:

• Support configuring the permissions
• Support configuring access between repositories
• Private packages can be accessed by Actions only when they have been linked to repositories

Ok no problem. I'm working on it

[Excellencedev]

@Zettat123 My PR is now ready for review !
It implements ALL the features in the issue description
Just need t make sure tests pass though

[Excellencedev]

Made some changes to the help texts.

I am not a native speaker, not sure whether the changed texts are good enough.

the grammar looks good

[Excellencedev]

Are you sure your fix is right? You added exclusive=true to all the repo search boxes, won't it break others?

see b10db5d

[wxiaoguang]

Are you sure your fix is right? You added exclusive=true to all the repo search boxes, won't it break others?

see b10db5d

What does this do?

[Excellencedev]

What does this do?

It checks if the HTML has a data-collaborate attribute and, if so, adds it to the search URL as a filter. This allows the search to either include or exclude repositories where the user is only a collaborator

[wxiaoguang]

What does this do?

It checks if the HTML has a data-collaborate attribute and, if so, adds it to the search URL as a filter. This allows the search to either include or exclude repositories where the user is only a collaborator

Is it your guess? Or your AI's answer? Where is collaborate used in backend code?

[ChristopherHX]

I confirm

• the user and org cross-repo setting no longer shows (also does not allow to add) repositories of a different owner
• a deleted repository disappears from the cross-repo list (user settings page)
• changing settings does save if UI matches backend revision

---

Some things that didn't feel right to me

• you can press add repo without having any selected (more or less just does a reload)
• Non Issue so far having an previous settings page js in the cache did clear cross-repo setting and shows broken form for me (idk what pr revision that was based on before)

[wxiaoguang]

you can press add repo without having any selected (more or less just does a reload)

Fixed in e1d11ae

[Excellencedev]

should i do a pr to gitea docs ?

[lunny]

should i do a pr to gitea docs ?

I think yes. We need a PR to gitea docs.

[Excellencedev]

@lunny Added a PR: https://gitea.com/gitea/docs/pulls/366