diff --git a/services/actions/permission_parser.go b/services/actions/permission_parser.go index 9ff6134a7a..8c06e27d4b 100644 --- a/services/actions/permission_parser.go +++ b/services/actions/permission_parser.go @@ -117,6 +117,11 @@ func parseRawPermissionsExplicit(rawPerms *yaml.Node) *repo_model.ActionsTokenPe result.UnitAccessModes[unit.TypeReleases] = mode case "projects": result.UnitAccessModes[unit.TypeProjects] = mode + // Scopes github supports but gitea does not, see url for details + // https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax + case "artifact-metadata", "attestations", "checks", "deployments", + "id-token", "models", "discussions", "pages", "security-events", "statuses": + // not supported default: setting.PanicInDevOrTesting("Unrecognized permission scope: %s", scope) } diff --git a/services/actions/permission_parser_test.go b/services/actions/permission_parser_test.go index 06352516fd..9986814b48 100644 --- a/services/actions/permission_parser_test.go +++ b/services/actions/permission_parser_test.go @@ -33,6 +33,36 @@ func TestParseRawPermissions_ReadAll(t *testing.T) { assert.Equal(t, perm.AccessModeRead, result.UnitAccessModes[unit.TypeProjects]) } +// TestParseRawPermissions_GithubScopes verifies that all scopes that github supports are accounted for +func TestParseRawPermissions_GithubScopes(t *testing.T) { + var rawPerms yaml.Node + // Taken and stripped down from: + // https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes + yamlContent := ` +actions: read +artifact-metadata: read +attestations: read +checks: read +contents: read +deployments: read +id-token: write +issues: read +models: read +discussions: read +packages: read +pages: read +pull-requests: read +security-events: read +statuses: read` + err := yaml.Unmarshal([]byte(yamlContent), &rawPerms) + require.NoError(t, err) + + result := parseRawPermissionsExplicit(&rawPerms) + require.NotNil(t, result) + + // No asserts for permissions set on purpose +} + func TestParseRawPermissions_WriteAll(t *testing.T) { var rawPerms yaml.Node err := yaml.Unmarshal([]byte(`write-all`), &rawPerms)