Skip to content

Fix issue label deletion with Actions tokens#37013

Merged
silverwind merged 7 commits intogo-gitea:mainfrom
bircni:fix-actions-label-delete-37011
Mar 29, 2026
Merged

Fix issue label deletion with Actions tokens#37013
silverwind merged 7 commits intogo-gitea:mainfrom
bircni:fix-actions-label-delete-37011

Conversation

@bircni
Copy link
Copy Markdown
Member

@bircni bircni commented Mar 27, 2026

Use shared repo permission resolution for Actions task users in issue label remove and clear paths, and add a regression test for deleting issue labels with a Gitea Actions token.

This fixes issue label deletion when the request is authenticated with a Gitea Actions token.
Fixes #37011

The bug was that the delete path re-resolved repository permissions using the normal user permission helper, which does not handle Actions task users. As a result, DELETE /api/v1/repos/{owner}/{repo}/issues/{index}/labels/{id} could return 500 for Actions tokens even though label listing and label addition worked.

@bircni @codex
Fix issue label deletion with Actions tokens
937e7a0 
Use shared repo permission resolution for Actions task users in issue label remove and clear paths, and add a regression test for deleting issue labels with a Gitea Actions token.

Co-authored-by: Codex <codex@openai.com>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 27, 2026
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Mar 27, 2026
@bircni bircni marked this pull request as ready for review March 27, 2026 20:51
@gbolo
Copy link
Copy Markdown

gbolo commented Mar 27, 2026

Hi @bircni , thank you for fixing this so quickly!

I compiled and tried it out and the DELETE now works as expected ;)

2026/03/27 19:15:49 HTTPRequest [I] router: completed DELETE /api/v1/repos/midgar/infra/issues/6/labels/8 for 10.70.0.20:0, 204 No Content in 42.1ms @ repo/issue_label.go:127(repo.DeleteIssueLabel

@lunny
Copy link
Copy Markdown
Member

lunny commented Mar 27, 2026

Why only invoking GetUserOrActionsRepoPermission for labels permission check?

@bircni
Copy link
Copy Markdown
Member Author

bircni commented Mar 27, 2026

Why only invoking GetUserOrActionsRepoPermission for labels permission check?

That's the scope for the pr
Should we adjust it somewhere else too?

@wxiaoguang
Copy link
Copy Markdown
Contributor

wxiaoguang commented Mar 28, 2026

I think it needs a complete fix. All calls of "GetUserRepoPermission" should be fixed together.

  1. Introduce "GetDoerRepoPermission"
  2. Rename "GetUserRepoPermission" to "GetIndiviudalUserRepoPermission" (in most cases, it shouldn't be called directly)

@wxiaoguang wxiaoguang marked this pull request as draft March 28, 2026 05:45
@github-actions github-actions bot added the modifies/api This PR adds API routes or modifies them label Mar 28, 2026
@silverwind
Copy link
Copy Markdown
Member

silverwind commented Mar 28, 2026

A few concerns from reviewing the call-site categorization:

  1. services/pull/pull.go:159permDoer is built with GetIndividualUserRepoPermission(ctx, repo, issue.Poster), but in NewPullRequest the poster is the doer creating the PR. If an Actions workflow creates a PR, this wouldn't resolve actions permissions correctly. Should likely be GetDoerRepoPermission. Same applies to the AllowMaintainerEdit check at line 79 in the same file.

  2. AccessLevelUnit, HasAnyUnitAccess, CheckRepoUnitUser in repo_permission.go all use GetIndividualUserRepoPermission internally. If any of them are ever called with an Actions user, permissions won't resolve correctly. Currently unlikely but a latent issue — a comment noting they don't support Actions users would help.

This comment was written by Claude Opus 4.6.

@bircni bircni marked this pull request as ready for review March 28, 2026 16:11
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 28, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 28, 2026
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 28, 2026
@silverwind silverwind enabled auto-merge (squash) March 29, 2026 09:04
@silverwind silverwind merged commit db7eb4d into go-gitea:main Mar 29, 2026
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Mar 29, 2026
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 29, 2026
@lunny lunny added the type/bug label Mar 29, 2026
zjjhot added a commit to zjjhot/gitea that referenced this pull request Mar 30, 2026
@zjjhot
Merge branch 'main' into mainzjj
aaede8e 
* main: (35 commits)
  Correct swagger annotations for enums, status codes, and notification state (go-gitea#37030)
  Update Nix flake (go-gitea#37024)
  Bump go and python versions in nix flake (go-gitea#37031)
  Make task list checkboxes clickable in the preview tab (go-gitea#37010)
  Add support for in_progress event in workflow_run webhook (go-gitea#36979)
  Fix various problems (go-gitea#37029)
  Update AI Contribution Policy (go-gitea#37022)
  Migrate from webpack to vite (go-gitea#37002)
  Upgrade yaml (go-gitea#37015)
  Fix issue label deletion with Actions tokens (go-gitea#37013)
  Hide delete branch or tag buttons in mirror or archived repositories. (go-gitea#37006)
  Update AGENTS.md with additional guidelines (go-gitea#37018)
  Optimize 'refreshAccesses' to perform update without removing then adding (go-gitea#35702)
  Fix relative-time RangeError (go-gitea#37021)
  Restyle Workflow Graph (go-gitea#36912)
  Update message severity colors, fix navbar double border (go-gitea#37019)
  Clean up checkbox cursor styles (go-gitea#37016)
  add missing cron tasks to example ini (go-gitea#37012)
  Add e2e tests for server push events (go-gitea#36879)
  Update JS dependencies (go-gitea#37001)
  ...
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 30, 2026
@silverwind
Merge remote-tracking branch 'origin/main' into cm
2b13bac 
* origin/main: (69 commits)
  Correct swagger annotations for enums, status codes, and notification state (go-gitea#37030)
  Update Nix flake (go-gitea#37024)
  Bump go and python versions in nix flake (go-gitea#37031)
  Make task list checkboxes clickable in the preview tab (go-gitea#37010)
  Add support for in_progress event in workflow_run webhook (go-gitea#36979)
  Fix various problems (go-gitea#37029)
  Update AI Contribution Policy (go-gitea#37022)
  Migrate from webpack to vite (go-gitea#37002)
  Upgrade yaml (go-gitea#37015)
  Fix issue label deletion with Actions tokens (go-gitea#37013)
  Hide delete branch or tag buttons in mirror or archived repositories. (go-gitea#37006)
  Update AGENTS.md with additional guidelines (go-gitea#37018)
  Optimize 'refreshAccesses' to perform update without removing then adding (go-gitea#35702)
  Fix relative-time RangeError (go-gitea#37021)
  Restyle Workflow Graph (go-gitea#36912)
  Update message severity colors, fix navbar double border (go-gitea#37019)
  Clean up checkbox cursor styles (go-gitea#37016)
  add missing cron tasks to example ini (go-gitea#37012)
  Add e2e tests for server push events (go-gitea#36879)
  Update JS dependencies (go-gitea#37001)
  ...

# Conflicts:
#	package.json
#	pnpm-lock.yaml
#	tests/e2e/utils.ts
#	web_src/css/themes/theme-gitea-dark.css
#	web_src/css/themes/theme-gitea-light.css
#	web_src/js/bootstrap.ts
#	web_src/js/features/codeeditor.ts
#	web_src/js/modules/errors.test.ts
#	webpack.config.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

DELETE /api/v1/repos/{owner}/{repo}/issues/{index}/labels/{id} returns 500 when using Gitea Actions token

6 participants

@bircni @gbolo @lunny @wxiaoguang @silverwind @GiteaBot