Make sure pre-receive hook can properly check Actions token permissions based on your repository configuration

2026-01-31 05:44:21 +01:00 · 2025-12-30 05:18:54 +01:00 · 2025-12-30 05:18:54 +01:00 · de0d8da7b6
commit de0d8da7b6
parent efb93b5da1
5 changed files with 42 additions and 23 deletions
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -187,6 +187,7 @@ Gitea or set your environment appropriately.`, "")
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
 	actionPerm, _ := strconv.Atoi(os.Getenv(repo_module.EnvActionPerm))
+	actionsTaskID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionsTaskID), 10, 64)

 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@ -197,6 +198,7 @@ Gitea or set your environment appropriately.`, "")
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
 		ActionPerm:                      actionPerm,
+		ActionsTaskID:                   actionsTaskID,
 	}

 	scanner := bufio.NewScanner(os.Stdin)
--- a/modules/private/hook.go
+++ b/modules/private/hook.go
@ -38,6 +38,7 @@ type HookOptions struct {
 	DeployKeyID                     int64 // if the pusher is a DeployKey, then UserID is the repo's org user.
 	IsWiki                          bool
 	ActionPerm                      int
+	ActionsTaskID                   int64 // if the pusher is an Actions user, the task ID
 }

 // SSHLogOption ssh log options
--- a/modules/repository/env.go
+++ b/modules/repository/env.go
@ -15,21 +15,22 @@ import (

 // env keys for git hooks need
 const (
-	EnvRepoName     = "GITEA_REPO_NAME"
-	EnvRepoUsername = "GITEA_REPO_USER_NAME"
-	EnvRepoID       = "GITEA_REPO_ID"
-	EnvRepoIsWiki   = "GITEA_REPO_IS_WIKI"
-	EnvPusherName   = "GITEA_PUSHER_NAME"
-	EnvPusherEmail  = "GITEA_PUSHER_EMAIL"
-	EnvPusherID     = "GITEA_PUSHER_ID"
-	EnvKeyID        = "GITEA_KEY_ID" // public key ID
-	EnvDeployKeyID  = "GITEA_DEPLOY_KEY_ID"
-	EnvPRID         = "GITEA_PR_ID"
-	EnvPRIndex      = "GITEA_PR_INDEX" // not used by Gitea at the moment, it is for custom git hooks
-	EnvPushTrigger  = "GITEA_PUSH_TRIGGER"
-	EnvIsInternal   = "GITEA_INTERNAL_PUSH"
-	EnvAppURL       = "GITEA_ROOT_URL"
-	EnvActionPerm   = "GITEA_ACTION_PERM"
+	EnvRepoName      = "GITEA_REPO_NAME"
+	EnvRepoUsername  = "GITEA_REPO_USER_NAME"
+	EnvRepoID        = "GITEA_REPO_ID"
+	EnvRepoIsWiki    = "GITEA_REPO_IS_WIKI"
+	EnvPusherName    = "GITEA_PUSHER_NAME"
+	EnvPusherEmail   = "GITEA_PUSHER_EMAIL"
+	EnvPusherID      = "GITEA_PUSHER_ID"
+	EnvKeyID         = "GITEA_KEY_ID" // public key ID
+	EnvDeployKeyID   = "GITEA_DEPLOY_KEY_ID"
+	EnvPRID          = "GITEA_PR_ID"
+	EnvPRIndex       = "GITEA_PR_INDEX" // not used by Gitea at the moment, it is for custom git hooks
+	EnvPushTrigger   = "GITEA_PUSH_TRIGGER"
+	EnvIsInternal    = "GITEA_INTERNAL_PUSH"
+	EnvAppURL        = "GITEA_ROOT_URL"
+	EnvActionPerm    = "GITEA_ACTION_PERM"
+	EnvActionsTaskID = "GITEA_ACTIONS_TASK_ID"
 )

 type PushTrigger string
--- a/routers/private/hook_pre_receive.go
+++ b/routers/private/hook_pre_receive.go
@ -493,15 +493,29 @@ func (ctx *preReceiveContext) loadPusherAndPermission() bool {

 	if ctx.opts.UserID == user_model.ActionsUserID {
 		ctx.user = user_model.NewActionsUser()
-		ctx.userPerm.AccessMode = perm_model.AccessMode(ctx.opts.ActionPerm)
-		if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
-			log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
-			ctx.JSON(http.StatusInternalServerError, private.Response{
-				Err: fmt.Sprintf("Unable to get User id %d Error: %v", ctx.opts.UserID, err),
-			})
-			return false
+		// Use the new GetActionsUserRepoPermission to respect token permission settings
+		if ctx.opts.ActionsTaskID > 0 {
+			userPerm, err := access_model.GetActionsUserRepoPermission(ctx, ctx.Repo.Repository, ctx.user, ctx.opts.ActionsTaskID)
+			if err != nil {
+				log.Error("Unable to get Actions user repo permission for task %d Error: %v", ctx.opts.ActionsTaskID, err)
+				ctx.JSON(http.StatusInternalServerError, private.Response{
+					Err: fmt.Sprintf("Unable to get Actions user repo permission for task %d Error: %v", ctx.opts.ActionsTaskID, err),
+				})
+				return false
+			}
+			ctx.userPerm = userPerm
+		} else {
+			// Fallback to old behavior if ActionsTaskID is not provided (for backwards compatibility)
+			ctx.userPerm.AccessMode = perm_model.AccessMode(ctx.opts.ActionPerm)
+			if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
+				log.Error("Unable to get User id %d Error: %v", ctx.opts.UserID, err)
+				ctx.JSON(http.StatusInternalServerError, private.Response{
+					Err: fmt.Sprintf("Unable to get User id %d Error: %v", ctx.opts.UserID, err),
+				})
+				return false
+			}
+			ctx.userPerm.SetUnitsWithDefaultAccessMode(ctx.Repo.Repository.Units, ctx.userPerm.AccessMode)
 		}
-		ctx.userPerm.SetUnitsWithDefaultAccessMode(ctx.Repo.Repository.Units, ctx.userPerm.AccessMode)
 	} else {
 		user, err := user_model.GetUserByID(ctx, ctx.opts.UserID)
 		if err != nil {
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@ -206,6 +206,7 @@ func httpBase(ctx *context.Context) *serviceHandler {
 					return nil
 				}
 				environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionPerm, p.UnitAccessMode(unitType)))
+				environ = append(environ, fmt.Sprintf("%s=%d", repo_module.EnvActionsTaskID, taskID))
 			} else {
 				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
 				if err != nil {