Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-01-23 21:49:21 +01:00
Code Issues Activity

chore: fix ci

Browse Source
This commit is contained in:
Excellencedev 2025-12-31 06:00:05 +01:00
parent 1ff75aa822
commit 2e7bd47be6
3 changed files with 37 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
models/perm/access/repo_permission.go
View File

@ -325,13 +325,22 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
return perm, nil
}
// Get effective token permissions
// First check if job has explicit permissions stored from workflow YAML
var effectivePerms repo_model.ActionsTokenPermissions
if err := task.LoadJob(ctx); err != nil {
return perm, err
var jobLoaded bool
// Only attempt to load job if JobID is set (non-zero)
if task.JobID != 0 {
if err := task.LoadJob(ctx); err == nil {
jobLoaded = true
} else {
// If loading job fails (e.g. resource doesn't exist), log it but fall back to repo permissions
// This prevents 500 errors if the task has a broken job link
log.Warn("GetActionsUserRepoPermission: failed to load job %d for task %d: %v", task.JobID, task.ID, err)
}
}
if task.Job != nil && task.Job.TokenPermissions != "" {
if jobLoaded && task.Job != nil && task.Job.TokenPermissions != "" {
// Use permissions parsed from workflow YAML (already clamped by repo max settings during insertion)
effectivePerms, err = repo_model.UnmarshalTokenPermissions(task.Job.TokenPermissions)
if err != nil {
@ -340,7 +349,7 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
effectivePerms = actionsCfg.ClampPermissions(effectivePerms)
}
} else {
// No workflow permissions, use repository settings
// No workflow permissions or job not found, use repository settings
effectivePerms = actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest)
effectivePerms = actionsCfg.ClampPermissions(effectivePerms)
}

25
services/actions/permission_parser.go
View File

@ -48,9 +48,20 @@ func parseRawPermissions(rawPerms *yaml.Node, defaultPerms repo_model.ActionsTok
return defaultPerms
}
// Unwrap DocumentNode if present (yaml.Unmarshal wraps content in DocumentNode)
node := rawPerms
if node.Kind == yaml.DocumentNode && len(node.Content) > 0 {
node = node.Content[0]
}
// Check for empty node after unwrapping
if node == nil || (node.Kind == yaml.ScalarNode && node.Value == "") {
return defaultPerms
}
// Handle scalar values: "read-all" or "write-all"
if rawPerms.Kind == yaml.ScalarNode {
switch rawPerms.Value {
if node.Kind == yaml.ScalarNode {
switch node.Value {
case "read-all":
return repo_model.ActionsTokenPermissions{
Contents: perm.AccessModeRead,
@ -74,15 +85,15 @@ func parseRawPermissions(rawPerms *yaml.Node, defaultPerms repo_model.ActionsTok
}
// Handle mapping: individual permission scopes
if rawPerms.Kind == yaml.MappingNode {
if node.Kind == yaml.MappingNode {
result := defaultPerms // Start with defaults
for i := 0; i < len(rawPerms.Content); i += 2 {
if i+1 >= len(rawPerms.Content) {
for i := 0; i < len(node.Content); i += 2 {
if i+1 >= len(node.Content) {
break
}
keyNode := rawPerms.Content[i]
valueNode := rawPerms.Content[i+1]
keyNode := node.Content[i]
valueNode := node.Content[i+1]
if keyNode.Kind != yaml.ScalarNode || valueNode.Kind != yaml.ScalarNode {
continue

10
tests/integration/actions_job_token_test.go
View File

@ -546,11 +546,11 @@ func TestActionsWorkflowPermissionsKeyword(t *testing.T) {
// Create a run and job with explicit permissions
run := &actions_model.ActionRun{
RepoID: repository.ID,
OwnerID: repository.Owner.ID,
Title: "Test workflow with read-all permissions",
Status: actions_model.StatusRunning,
Ref: "refs/heads/master",
RepoID: repository.ID,
OwnerID: repository.Owner.ID,
Title: "Test workflow with read-all permissions",
Status: actions_model.StatusRunning,
Ref: "refs/heads/master",
CommitSHA: "abc123",
}
require.NoError(t, db.Insert(t.Context(), run))