refactor ui

options/locale/locale_en-US.json

@@ -3763,6 +3763,7 @@
   "actions.general.token_permissions.actions_scope.description": "Interact with workflow runs.",
   "actions.general.token_permissions.maximum": "Maximum Token Permissions",
   "actions.general.token_permissions.maximum.description": "The maximum permissions tokens are allowed to have. Workflow-specified permissions cannot exceed these limits.",
+  "actions.general.token_permissions.customize_max_permissions": "Customize maximum permissions",
   "actions.general.token_permissions.fork_pr_note": "Note: Pull requests from forks always have read-only permissions.",
   "actions.general.token_permissions.max_permissions": "Maximum Permissions",
   "actions.general.token_permissions.max_permissions.desc": "Configure better restrictions for the GITEA_TOKEN running in this repository.",

routers/web/org/setting/actions.go

@@ -83,8 +83,9 @@ func UpdateTokenPermissions(ctx *context.Context) {
 		actionsCfg.TokenPermissionMode = permissionMode
 	}
 
+	enableMaxPermissions := ctx.FormBool("enable_max_permissions")
 	// Update Maximum Permissions (radio buttons: none/read/write)
-	if actionsCfg.TokenPermissionMode == repo_model.ActionsTokenPermissionModeCustom {
+	if enableMaxPermissions {
 		parseMaxPerm := func(name string) perm.AccessMode {
 			value := ctx.FormString("max_" + name)
 			switch value {

routers/web/repo/setting/actions.go

@@ -168,7 +168,8 @@ func UpdateTokenPermissions(ctx *context.Context) {
 	}
 
 	// Update Maximum Permissions (radio buttons: none/read/write)
-	if shouldUpdate && actionsCfg.TokenPermissionMode == repo_model.ActionsTokenPermissionModeCustom {
+	enableMaxPermissions := ctx.FormBool("enable_max_permissions")
+	if shouldUpdate && enableMaxPermissions {
 		parseMaxPerm := func(name string) perm.AccessMode {
 			value := ctx.FormString("max_" + name)
 			switch value {
@@ -191,7 +192,7 @@ func UpdateTokenPermissions(ctx *context.Context) {
 			Releases:     parseMaxPerm("releases"),
 			Projects:     parseMaxPerm("projects"),
 		}
-	} else {
+	} else if shouldUpdate {
 		actionsCfg.MaxTokenPermissions = nil
 	}
 

templates/org/settings/actions_general.tmpl

@@ -97,13 +97,6 @@
 					</div>
 					<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.mode.restricted.desc"}}</p>
 				</div>
-				<div class="field">
-					<div class="ui radio checkbox">
-						<input type="radio" name="token_permission_mode" value="custom" {{if eq .TokenPermissionMode .TokenPermissionModeCustom}}checked{{end}} class="js-permission-mode-radio">
-						<label>{{ctx.Locale.Tr "actions.general.token_permissions.mode.custom"}}</label>
-					</div>
-					<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.mode.custom.desc"}}</p>
-				</div>
 			</div>
 
 			<div class="divider"></div>
@@ -114,6 +107,13 @@
 					{{ctx.Locale.Tr "actions.general.token_permissions.max_permissions"}}
 				</h5>
 				<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.max_permissions.desc"}}</p>
+
+				<div class="field">
+					<div class="ui checkbox">
+						<input type="checkbox" name="enable_max_permissions" class="js-enable-max-permissions" {{if .MaxTokenPermissions}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "actions.general.token_permissions.customize_max_permissions"}}</label>
+					</div>
+				</div>
 			</div>
 
 			<table class="ui celled table js-permissions-table">

templates/repo/settings/actions_general.tmpl

@@ -63,13 +63,6 @@
 							<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.mode.restricted.desc"}}</p>
 						</div>
 					</div>
-					<div class="field">
-						<div class="ui radio checkbox">
-							<input type="radio" name="token_permission_mode" value="{{.TokenPermissionModeCustom}}" {{if eq .TokenPermissionMode .TokenPermissionModeCustom}}checked{{end}} class="js-permission-mode-radio">
-							<label>{{ctx.Locale.Tr "actions.general.token_permissions.mode.custom"}}</label>
-							<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.mode.custom.desc"}}</p>
-						</div>
-					</div>
 				</div>
 			</div>
 
@@ -84,6 +77,13 @@
 					<span class="ui red text">*</span>
 				</h5>
 				<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.maximum.description"}}</p>
+
+				<div class="field">
+					<div class="ui checkbox">
+						<input type="checkbox" name="enable_max_permissions" class="js-enable-max-permissions" {{if .MaxTokenPermissions}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "actions.general.token_permissions.customize_max_permissions"}}</label>
+					</div>
+				</div>
 			</div>
 
 			<table class="ui celled table js-permissions-table">

web_src/js/features/repo-settings-actions.ts

@@ -4,6 +4,7 @@ export function initActionsPermissionsTable(): void {
   const tableSection = document.querySelector<HTMLElement>('#max-permissions-section');
   const overrideOrgCheckbox = document.querySelector<HTMLInputElement>('.js-override-org-config');
   const modeSection = document.querySelector<HTMLElement>('.js-permission-mode-section');
+  const enableMaxCheckbox = document.querySelector<HTMLInputElement>('.js-enable-max-permissions');
 
   if (!modeRadios.length) return;
 
@@ -12,9 +13,6 @@ export function initActionsPermissionsTable(): void {
     // If the checkbox does not exist (Org settings), we are never disabled by this rule.
     const shouldDisable = overrideOrgCheckbox ? !overrideOrgCheckbox.checked : false;
 
-    const selectedMode = document.querySelector<HTMLInputElement>('input[name="token_permission_mode"]:checked');
-    const isCustom = selectedMode?.value === 'custom';
-
     // Disable entire form when following org config (Override unchecked)
     for (const radio of modeRadios) {
       radio.disabled = shouldDisable;
@@ -24,18 +22,34 @@ export function initActionsPermissionsTable(): void {
       modeSection.style.opacity = shouldDisable ? '0.5' : '1';
     }
 
-    // Disable table if layout is disabled OR mode is not custom
-    const tableDisabled = shouldDisable || !isCustom;
+    if (enableMaxCheckbox) {
+      enableMaxCheckbox.disabled = shouldDisable;
+    }
+
+    if (tableSection) {
+        tableSection.style.opacity = shouldDisable ? '0.5' : '1';
+    }
+
+    // Disable table if layout is disabled OR max permissions not enabled
+    const isMaxEnabled = enableMaxCheckbox ? enableMaxCheckbox.checked : false;
+    const tableDisabled = shouldDisable || !isMaxEnabled;
+
     if (permTable) {
       const inputs = permTable.querySelectorAll<HTMLInputElement>('input[type="radio"]');
       for (const input of inputs) {
         input.disabled = tableDisabled;
       }
-      permTable.style.display = tableDisabled ? 'none' : '';
-    }
-
-    if (tableSection) {
-      tableSection.style.display = tableDisabled ? 'none' : '';
+      permTable.style.display = isMaxEnabled ? '' : 'none';
+      if (shouldDisable) {
+          permTable.style.opacity = '0.5';
+          // If disabled, we might want to hide it or just show disabled state?
+          // If following Org config, the Org might have max permissions set.
+          // But here we are configuring the REPO overrides.
+          // If not overriding, we show nothing (or disabled state).
+          // Current logic dims everything.
+      } else {
+          permTable.style.opacity = '1';
+      }
     }
   }
 
@@ -44,6 +58,7 @@ export function initActionsPermissionsTable(): void {
   }
 
   overrideOrgCheckbox?.addEventListener('change', updateTableState);
+  enableMaxCheckbox?.addEventListener('change', updateTableState);
 
   updateTableState();