WIP

2026-02-14 19:05:14 +01:00 · 2025-12-18 09:17:07 +01:00 · 2025-12-18 09:17:07 +01:00 · 43e96d5ead
commit 43e96d5ead
parent 9a69f65ee4
9 changed files with 230 additions and 1 deletions
--- a/models/actions/config.go
+++ b/models/actions/config.go
@ -0,0 +1,43 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
+)
+
+// GetOrgActionsConfig loads the ActionsConfig for an organization from user settings
+// It returns a default config if no setting is found
+func GetOrgActionsConfig(ctx context.Context, orgID int64) (*repo_model.ActionsConfig, error) {
+	val, err := user_model.GetUserSetting(ctx, orgID, "actions.config")
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &repo_model.ActionsConfig{}
+	if val == "" {
+		// Return defaults if no config exists
+		return cfg, nil
+	}
+
+	if err := json.Unmarshal([]byte(val), cfg); err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
+}
+
+// SetOrgActionsConfig saves the ActionsConfig for an organization to user settings
+func SetOrgActionsConfig(ctx context.Context, orgID int64, cfg *repo_model.ActionsConfig) error {
+	bs, err := json.Marshal(cfg)
+	if err != nil {
+		return err
+	}
+
+	return user_model.SetUserSetting(ctx, orgID, "actions.config", string(bs))
+}
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@ -280,6 +280,19 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
 		if err != nil || !exist {
 			return perm, err
 		}
+
+		// Check Organization Cross-Repo Access Policy
+		if repo.OwnerID == taskRepo.OwnerID && repo.Owner.IsOrganization() {
+			orgCfg, err := actions_model.GetOrgActionsConfig(ctx, repo.OwnerID)
+			if err != nil {
+				return perm, err
+			}
+			if !orgCfg.AllowCrossRepoAccess {
+				// Deny access if cross-repo is disabled in Org
+				return perm, nil
+			}
+		}
+
 		if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate {
 			// The task repo can access the current repo only if the task repo is private and
 			// the owner of the task repo is a collaborative owner of the current repo.
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@ -240,6 +240,8 @@ type ActionsConfig struct {
 	DefaultTokenPermissions *ActionsTokenPermissions `json:"default_token_permissions,omitempty"`
 	// MaxTokenPermissions defines the maximum permissions (cannot be exceeded by workflow permissions keyword)
 	MaxTokenPermissions *ActionsTokenPermissions `json:"max_token_permissions,omitempty"`
+	// AllowCrossRepoAccess indicates if actions in this repo/org can access other repos in the same org
+	AllowCrossRepoAccess bool `json:"allow_cross_repo_access,omitempty"`
 }

 func (cfg *ActionsConfig) EnableWorkflow(file string) {
--- a/models/user/setting.go
+++ b/models/user/setting.go
@ -10,6 +10,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models/db"
+
 	"code.gitea.io/gitea/modules/cache"
 	setting_module "code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -3955,6 +3955,8 @@ general.token_permissions.access_read = Read
 general.token_permissions.access_write = Write
 general.token_permissions.access_none = No access
 general.token_permissions.update_success = Token permissions updated successfully.
+general.token_permissions.cross_repo = Cross-Repository Access
+general.token_permissions.cross_repo_desc = Allow workflows in this organization to access other repositories within the same organization.

 [projects]
 deleted.display_name = Deleted Project
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@ -6,7 +6,9 @@ package packages
 import (
 	"net/http"

+	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
+
 	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@ -80,6 +82,55 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 			}
 		}

+		if ctx.Data["IsActionsToken"] == true {
+			if ctx.Package != nil && ctx.Package.Owner.Visibility.IsPrivate() {
+				// Actions rules:
+				// 1. If the package key matches the task repo, allow.
+				// 2. If not, check cross-repo policy.
+
+				taskID, ok := ctx.Data["ActionsTaskID"].(int64)
+				if ok {
+					task, err := actions_model.GetTaskByID(ctx, taskID)
+					if err != nil {
+						log.Error("GetTaskByID: %v", err)
+						ctx.HTTPError(http.StatusInternalServerError, "GetTaskByID", err.Error())
+						return
+					}
+
+					var packageRepoID int64
+					if ctx.Package.Descriptor != nil && ctx.Package.Descriptor.Package != nil {
+						packageRepoID = ctx.Package.Descriptor.Package.RepoID
+					}
+
+					if task.RepoID != packageRepoID {
+						// Not linked to the running repo.
+						// Check Org Policy
+						if ctx.Package.Owner.IsOrganization() {
+							cfg, err := actions_model.GetOrgActionsConfig(ctx, ctx.Package.Owner.ID)
+							if err != nil {
+								log.Error("GetOrgActionsConfig: %v", err)
+								ctx.HTTPError(http.StatusInternalServerError, "GetOrgActionsConfig", err.Error())
+								return
+							}
+							if !cfg.AllowCrossRepoAccess {
+								ctx.HTTPError(http.StatusForbidden, "reqPackageAccess", "cross-repository package access is disabled")
+								return
+							}
+						} else {
+							// For user-owned packages, maybe stricter? Or same?
+							// Issue says "only when they have been linked".
+							// If Owner is User, Cross-Repo setting is not available (it's Org setting).
+							// Default to Strict for Users?
+							if task.RepoID != ctx.Package.RepoID {
+								ctx.HTTPError(http.StatusForbidden, "reqPackageAccess", "package must be linked to the repository")
+								return
+							}
+						}
+					}
+				}
+			}
+		}
+
 		if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {
 			ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea Package API"`)
 			ctx.HTTPError(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
--- a/routers/web/org/setting/actions.go
+++ b/routers/web/org/setting/actions.go
@ -0,0 +1,69 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/http"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/services/context"
+)
+
+const (
+	tplSettingsActionsGeneral base.TplName = "org/settings/actions_general"
+)
+
+// ActionsGeneral renders the actions general settings page
+func ActionsGeneral(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.actions")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsOrgSettingsActions"] = true
+
+	// Load Org Actions Config
+	actionsCfg, err := actions_model.GetOrgActionsConfig(ctx, ctx.Org.Organization.ID)
+	if err != nil {
+		ctx.ServerError("GetOrgActionsConfig", err)
+		return
+	}
+
+	ctx.Data["TokenPermissionMode"] = actionsCfg.GetTokenPermissionMode()
+	ctx.Data["TokenPermissionModePermissive"] = repo_model.ActionsTokenPermissionModePermissive
+	ctx.Data["TokenPermissionModeRestricted"] = repo_model.ActionsTokenPermissionModeRestricted
+
+	ctx.Data["AllowCrossRepoAccess"] = actionsCfg.AllowCrossRepoAccess
+
+	ctx.HTML(http.StatusOK, tplSettingsActionsGeneral)
+}
+
+// ActionsGeneralPost responses for actions general settings page
+func ActionsGeneralPost(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.actions")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsOrgSettingsActions"] = true
+
+	actionsCfg, err := actions_model.GetOrgActionsConfig(ctx, ctx.Org.Organization.ID)
+	if err != nil {
+		ctx.ServerError("GetOrgActionsConfig", err)
+		return
+	}
+
+	// Update Token Permission Mode
+	permissionMode := repo_model.ActionsTokenPermissionMode(ctx.FormString("token_permission_mode"))
+	if permissionMode == repo_model.ActionsTokenPermissionModeRestricted || permissionMode == repo_model.ActionsTokenPermissionModePermissive {
+		actionsCfg.TokenPermissionMode = permissionMode
+	}
+
+	// Update Cross-Repo Access
+	actionsCfg.AllowCrossRepoAccess = ctx.FormBool("allow_cross_repo_access")
+
+	if err := actions_model.SetOrgActionsConfig(ctx, ctx.Org.Organization.ID, actionsCfg); err != nil {
+		ctx.ServerError("SetOrgActionsConfig", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("org.settings.update_setting_success"))
+	ctx.Redirect(ctx.Org.OrgLink + "/settings/actions")
+}
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -961,7 +961,8 @@ func registerWebRoutes(m *web.Router) {
 				})

 				m.Group("/actions", func() {
-					m.Get("", org_setting.RedirectToDefaultSetting)
+					m.Get("", org_setting.ActionsGeneral)
+					m.Post("", org_setting.ActionsGeneralPost)
 					addSettingsRunnersRoutes()
 					addSettingsSecretsRoutes()
 					addSettingsVariablesRoutes()
--- a/templates/org/settings/actions_general.tmpl
+++ b/templates/org/settings/actions_general.tmpl
@ -0,0 +1,47 @@
+{{template "org/settings/layout_head" .}}
+<div class="org-setting-content">
+	<h4 class="ui top attached header">
+		{{.locale.Tr "actions.actions"}}
+	</h4>
+	<div class="ui attached segment">
+		<div class="ui grid">
+			<div class="sixteen wide column">
+				<form class="ui form" action="{{.Link}}" method="post">
+					{{.CsrfTokenHtml}}
+					<div class="field">
+						<label>{{.locale.Tr "actions.general.token_permissions.mode"}}</label>
+						<div class="grouped fields">
+							<div class="field">
+								<div class="ui radio checkbox">
+									<input type="radio" name="token_permission_mode" value="{{.TokenPermissionModePermissive}}" {{if eq .TokenPermissionMode .TokenPermissionModePermissive}}checked{{end}}>
+									<label>{{.locale.Tr "actions.general.token_permissions.permissive"}}</label>
+									<p class="help">{{.locale.Tr "actions.general.token_permissions.permissive.description"}}</p>
+								</div>
+							</div>
+							<div class="field">
+								<div class="ui radio checkbox">
+									<input type="radio" name="token_permission_mode" value="{{.TokenPermissionModeRestricted}}" {{if eq .TokenPermissionMode .TokenPermissionModeRestricted}}checked{{end}}>
+									<label>{{.locale.Tr "actions.general.token_permissions.restricted"}}</label>
+									<p class="help">{{.locale.Tr "actions.general.token_permissions.restricted.description"}}</p>
+								</div>
+							</div>
+						</div>
+					</div>
+
+					<h4 class="ui dividing header">{{.locale.Tr "actions.general.token_permissions.cross_repo"}}</h4>
+					<div class="field">
+						<div class="ui checkbox">
+							<input type="checkbox" name="allow_cross_repo_access" {{if .AllowCrossRepoAccess}}checked{{end}}>
+							<label>{{.locale.Tr "actions.general.token_permissions.cross_repo_desc"}}</label>
+						</div>
+					</div>
+
+					<div class="field">
+						<button class="ui green button">{{.locale.Tr "save"}}</button>
+					</div>
+				</form>
+			</div>
+		</div>
+	</div>
+</div>
+{{template "org/settings/layout_footer" .}}