From 1a9ab86a15868e9db0f179bef35c2f3518ebb91d Mon Sep 17 00:00:00 2001
From: Naxdy <naxdy@naxdy.org>
Date: Sat, 12 Jul 2025 11:17:40 +0200
Subject: [PATCH] Also consider actions user when evaluating push privileges on
 protected branch

---
 routers/private/hook_pre_receive.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/private/hook_pre_receive.go b/routers/private/hook_pre_receive.go
index dd9d0bc15e..dfd2d5d902 100644
--- a/routers/private/hook_pre_receive.go
+++ b/routers/private/hook_pre_receive.go
@@ -253,7 +253,7 @@ func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, r
 
 	// 5. Check if the doer is allowed to push (and force-push if the incoming push is a force-push)
 	var canPush bool
-	if ctx.opts.DeployKeyID != 0 {
+	if ctx.opts.DeployKeyID != 0 || ctx.user.ID == user_model.ActionsUserID {
 		// This flag is only ever true if protectBranch.CanForcePush is true
 		if isForcePush {
 			canPush = !changedProtectedfiles && protectBranch.CanPush && (!protectBranch.EnableForcePushAllowlist || protectBranch.ForcePushAllowlistDeployKeys)