Skip to content

feat: Add configurable permissions for Actions automatic tokens #36173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Excellencedev wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: Add configurable permissions for Actions automatic tokens #36173

Excellencedev wants to merge 3 commits into from
+368 −11

Conversation

@Excellencedev
Copy link

@Excellencedev Excellencedev commented Dec 17, 2025

Summary

Implements Issue #24635 - Support configuring permissions of automatic tokens for Actions jobs.

This PR adds the ability to configure the default permissions granted to the GITHUB_TOKEN when running workflow jobs in a repository. Users can now choose between:

  • Permissive mode (default): Workflows have read and write permissions for all scopes (backwards compatible with existing behavior)
  • Restricted mode: Workflows have read-only permissions by default

Changes

Backend

  • Extended ActionsConfig struct in models/repo/repo_unit.go with:

    • ActionsTokenPermissionMode type (permissive/restricted)
    • ActionsTokenPermissions struct for per-unit permissions (Contents, Issues, PullRequests, Packages, Actions, Wiki)
    • Helper methods for getting effective permissions and clamping

  • Modified GetActionsUserRepoPermission in models/perm/access/repo_permission.go to use configurable per-unit permissions instead of hardcoded access modes

  • Added UpdateTokenPermissions handler in routers/web/repo/setting/actions.go

Frontend

  • Added Token Permissions UI section in repository Settings → Actions → General
  • Added locale strings in options/locale/locale_en-US.ini

Tests

  • Added unit tests in models/repo/repo_unit_test.go for token permission methods
  • Added integration test TestActionsTokenPermissionsModes in tests/integration/actions_job_token_test.go

Screenshots

The new Token Permissions section appears in Settings → Actions → General:

  • Radio buttons for Permissive/Restricted mode
  • Warning note about fork PRs always being read-only
Screenshot 2025-12-17 071658

Notes

  • Fork pull requests always receive read-only access regardless of settings (security feature)
  • Default behavior is "permissive" for backwards compatibility
  • No database migration required - settings stored as JSON in existing repo_unit config

Related Issues

Closes #24635
/claim #24635

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 17, 2025
@github-actions github-actions bot added modifies/translation modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files labels Dec 17, 2025
@Excellencedev
Copy link
Author

Excellencedev commented Dec 17, 2025

@lunny @wxiaoguang Please review this

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 17, 2025

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 17, 2025

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@silverwind Please review

@lunny lunny requested a review from Zettat123 December 17, 2025 16:53
@silverwind
Copy link
Member

silverwind commented Dec 17, 2025

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 17, 2025

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

No problem

Zettat123
Zettat123 reviewed Dec 17, 2025
View reviewed changes
routers/web/repo/setting/actions.go
ctx.Data["TokenPermissionModePermissive"] = repo_model.ActionsTokenPermissionModePermissive
ctx.Data["TokenPermissionModeRestricted"] = repo_model.ActionsTokenPermissionModeRestricted
ctx.Data["EffectiveTokenPermissions"] = actionsCfg.GetEffectiveTokenPermissions(false)
ctx.Data["MaxTokenPermissions"] = actionsCfg.GetMaxTokenPermissions()
Copy link
Contributor

@Zettat123 Zettat123 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EffectiveTokenPermissions and MaxTokenPermissions are not being used on the frontend page. Should they be removed?

routers/web/repo/setting/actions.go
permissionMode := ctx.FormString("token_permission_mode")
if permissionMode == string(repo_model.ActionsTokenPermissionModeRestricted) {
actionsCfg.TokenPermissionMode = repo_model.ActionsTokenPermissionModeRestricted
} else {
Copy link
Contributor

@Zettat123 Zettat123 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When permissionMode is not "permissive" or "restricted", it's better to return 400 Bad Request

tests/integration/actions_job_token_test.go
})
}

func testActionsTokenPermissionsMode(u *url.URL, mode string, expectReadOnly bool) func(t *testing.T) {
Copy link
Contributor

@Zettat123 Zettat123 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mode and expectReadOnly params are unused, is this as expected?

Copy link
Member

@silverwind silverwind Dec 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have unparam linter enabled, it should error on any unused params.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 17, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

@Zettat123
Copy link
Contributor

Zettat123 commented Dec 17, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.

silverwind
silverwind reviewed Dec 18, 2025
View reviewed changes
templates/repo/settings/actions_general.tmpl
</div>
</div>
</div>
<div class="ui warning message">
Copy link
Member

@silverwind silverwind Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe ui info message is enough. Warning should only be used for dangerous stuff.

@silverwind
Copy link
Member

silverwind commented Dec 18, 2025
edited
Loading

Issues I see on this screenshot:

image
  • Header text is black on dark theme
  • Contrast on light text is too low

I can probably help fix those, the first one may be a missing override of the fomantic CSS.

@Excellencedev
Copy link
Author

Excellencedev commented Dec 18, 2025

@Zettat123 @silverwind Pls give me a few hours(15-20 hours) and this PR will be ready to go
I will make sure to address all your comments and make sure I do everything from the issue
Drafting until then
When it is done, I will undraft it and notify you

@Excellencedev Excellencedev marked this pull request as draft December 18, 2025 01:53
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@Excellencedev
Copy link
Author

Excellencedev commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

@wxiaoguang should i close my pr ?

I don't know. Reviewers decide.

@Zettat123
Copy link
Contributor

Zettat123 commented Dec 18, 2025

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.
What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)
It seems that #36113 implemented these features, but I think its code needs improvement.

But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one?

I reviewed both PRs, but did not receive responses to my comments in #36113. If @Excellencedev will address the review comments, I think we should keep this PR.

@silverwind
Copy link
Member

silverwind commented Dec 18, 2025
edited
Loading

Imho, the only sensible thing we can do is race these 2 PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind left review comments

+1 more reviewer

@Zettat123 Zettat123 Zettat123 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

🙋 Bounty claim lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/translation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Proposal] Support configuring permissions of automatic tokens of Actions jobs

5 participants

@Excellencedev @wxiaoguang @silverwind @Zettat123 @GiteaBot