Skip to content

fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions#36818

Merged
lunny merged 4 commits intogo-gitea:mainfrom
OptionalValue:main
Mar 3, 2026
Merged

fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions#36818
lunny merged 4 commits intogo-gitea:mainfrom
OptionalValue:main

Conversation

@OptionalValue
Copy link
Copy Markdown
Contributor

@OptionalValue OptionalValue commented Mar 3, 2026

Hi,

This PR fixes the issue reported here.

The REST endpoints:
/repos/{owner}/{repo}/actions/runs
/repos/{owner}/{repo}/actions/jobs

currently require repository/organisation owner permissions, even though in GitHub they only need simple "read" permissions on the repo.
In the web interface this is implemented correctly, where anyone with "read" permissions can see the list of action runs.

Resolves #36268

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 3, 2026
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels Mar 3, 2026
@wxiaoguang
Copy link
Copy Markdown
Contributor

wxiaoguang commented Mar 3, 2026
edited
Loading

Check how addActionsRoutes is used. You can't simply add reqRepoReader here. There is no "repo" for "org"

Maybe you need a new argument for addActionsRoutes

@wxiaoguang wxiaoguang marked this pull request as draft March 3, 2026 17:18
@OptionalValue
Copy link
Copy Markdown
Contributor Author

OptionalValue commented Mar 3, 2026

@wxiaoguang Thanks for the quick reply!
Did not notice that, so thank you.
I've added a new param readReqChecker to addActionsRoutes
It now is called with:

  • reqRepoReader(unit.TypeActions) for repositories
  • reqOrgMembership() for organisations

wxiaoguang
wxiaoguang reviewed Mar 3, 2026
View reviewed changes
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 3, 2026
@OptionalValue OptionalValue marked this pull request as ready for review March 3, 2026 17:43
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 3, 2026
@lunny lunny added type/bug backport/v1.25 This PR should be backported to Gitea 1.25 reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Mar 3, 2026
@lunny lunny merged commit 484eacb into go-gitea:main Mar 3, 2026
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Mar 3, 2026
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 3, 2026
@GiteaBot
Copy link
Copy Markdown
Collaborator

GiteaBot commented Mar 4, 2026

I was unable to create a backport for 1.25. @OptionalValue, please send one manually. 🍵

go run ./contrib/backport 36818
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Mar 4, 2026
zjjhot added a commit to zjjhot/gitea that referenced this pull request Mar 4, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
702a676 
* giteaofficial/main:
  [skip ci] Updated translations via Crowdin
  fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions (go-gitea#36818)
  Fix CRAN package version validation to allow more than 4 version components (go-gitea#36813)
  Fix API not persisting pull request unit config when has_pull_requests is not set (go-gitea#36718)
  feat: Add Actions API rerun endpoints for runs and jobs (go-gitea#36768)
  Fix bug when pushing mirror with wiki (go-gitea#36795)
  Pull Request Pusher should be the author of the merge (go-gitea#36581)
  Delete non-exist branch should return 404 (go-gitea#36694)
  Remove API registration-token (go-gitea#36801)
  Add background and run count to actions list page (go-gitea#36707)
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 6, 2026
@silverwind
Merge remote-tracking branch 'origin/main' into fixmerge
f626aa0 
* origin/main: (27 commits)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  Add a git grep search timeout (go-gitea#36809)
  fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (go-gitea#36597)
  Harden render iframe open-link handling (go-gitea#36811)
  [skip ci] Updated translations via Crowdin
  fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions (go-gitea#36818)
  Fix CRAN package version validation to allow more than 4 version components (go-gitea#36813)
  Fix API not persisting pull request unit config when has_pull_requests is not set (go-gitea#36718)
  feat: Add Actions API rerun endpoints for runs and jobs (go-gitea#36768)
  Fix bug when pushing mirror with wiki (go-gitea#36795)
  Pull Request Pusher should be the author of the merge (go-gitea#36581)
  Delete non-exist branch should return 404 (go-gitea#36694)
  ...

# Conflicts:
#	routers/web/repo/issue_view.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees

No one assigned

Labels

backport/manual No power to the bots! Create your backport yourself! backport/v1.25 This PR should be backported to Gitea 1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

GET /repos/{owner}/{repo}/actions/{runs,jobs} requires more than just read permissions

4 participants

@OptionalValue @wxiaoguang @GiteaBot @lunny