From 2e7bd47be67f40a1bed160f17548ad59b982c685 Mon Sep 17 00:00:00 2001 From: Excellencedev Date: Wed, 31 Dec 2025 06:00:05 +0100 Subject: [PATCH] chore: fix ci --- models/perm/access/repo_permission.go | 19 +++++++++++----- services/actions/permission_parser.go | 25 +++++++++++++++------ tests/integration/actions_job_token_test.go | 10 ++++----- 3 files changed, 37 insertions(+), 17 deletions(-) diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go index 3fe2a514de..434dc15c38 100644 --- a/models/perm/access/repo_permission.go +++ b/models/perm/access/repo_permission.go @@ -325,13 +325,22 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito return perm, nil } - // Get effective token permissions // First check if job has explicit permissions stored from workflow YAML var effectivePerms repo_model.ActionsTokenPermissions - if err := task.LoadJob(ctx); err != nil { - return perm, err + var jobLoaded bool + + // Only attempt to load job if JobID is set (non-zero) + if task.JobID != 0 { + if err := task.LoadJob(ctx); err == nil { + jobLoaded = true + } else { + // If loading job fails (e.g. resource doesn't exist), log it but fall back to repo permissions + // This prevents 500 errors if the task has a broken job link + log.Warn("GetActionsUserRepoPermission: failed to load job %d for task %d: %v", task.JobID, task.ID, err) + } } - if task.Job != nil && task.Job.TokenPermissions != "" { + + if jobLoaded && task.Job != nil && task.Job.TokenPermissions != "" { // Use permissions parsed from workflow YAML (already clamped by repo max settings during insertion) effectivePerms, err = repo_model.UnmarshalTokenPermissions(task.Job.TokenPermissions) if err != nil { @@ -340,7 +349,7 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito effectivePerms = actionsCfg.ClampPermissions(effectivePerms) } } else { - // No workflow permissions, use repository settings + // No workflow permissions or job not found, use repository settings effectivePerms = actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest) effectivePerms = actionsCfg.ClampPermissions(effectivePerms) } diff --git a/services/actions/permission_parser.go b/services/actions/permission_parser.go index 88b29b16fc..4bb80fe669 100644 --- a/services/actions/permission_parser.go +++ b/services/actions/permission_parser.go @@ -48,9 +48,20 @@ func parseRawPermissions(rawPerms *yaml.Node, defaultPerms repo_model.ActionsTok return defaultPerms } + // Unwrap DocumentNode if present (yaml.Unmarshal wraps content in DocumentNode) + node := rawPerms + if node.Kind == yaml.DocumentNode && len(node.Content) > 0 { + node = node.Content[0] + } + + // Check for empty node after unwrapping + if node == nil || (node.Kind == yaml.ScalarNode && node.Value == "") { + return defaultPerms + } + // Handle scalar values: "read-all" or "write-all" - if rawPerms.Kind == yaml.ScalarNode { - switch rawPerms.Value { + if node.Kind == yaml.ScalarNode { + switch node.Value { case "read-all": return repo_model.ActionsTokenPermissions{ Contents: perm.AccessModeRead, @@ -74,15 +85,15 @@ func parseRawPermissions(rawPerms *yaml.Node, defaultPerms repo_model.ActionsTok } // Handle mapping: individual permission scopes - if rawPerms.Kind == yaml.MappingNode { + if node.Kind == yaml.MappingNode { result := defaultPerms // Start with defaults - for i := 0; i < len(rawPerms.Content); i += 2 { - if i+1 >= len(rawPerms.Content) { + for i := 0; i < len(node.Content); i += 2 { + if i+1 >= len(node.Content) { break } - keyNode := rawPerms.Content[i] - valueNode := rawPerms.Content[i+1] + keyNode := node.Content[i] + valueNode := node.Content[i+1] if keyNode.Kind != yaml.ScalarNode || valueNode.Kind != yaml.ScalarNode { continue diff --git a/tests/integration/actions_job_token_test.go b/tests/integration/actions_job_token_test.go index 12133b3261..26686cee6f 100644 --- a/tests/integration/actions_job_token_test.go +++ b/tests/integration/actions_job_token_test.go @@ -546,11 +546,11 @@ func TestActionsWorkflowPermissionsKeyword(t *testing.T) { // Create a run and job with explicit permissions run := &actions_model.ActionRun{ - RepoID: repository.ID, - OwnerID: repository.Owner.ID, - Title: "Test workflow with read-all permissions", - Status: actions_model.StatusRunning, - Ref: "refs/heads/master", + RepoID: repository.ID, + OwnerID: repository.Owner.ID, + Title: "Test workflow with read-all permissions", + Status: actions_model.StatusRunning, + Ref: "refs/heads/master", CommitSHA: "abc123", } require.NoError(t, db.Insert(t.Context(), run))