From f5c577536d17a6decb9304925fec0e667bd5f3c1 Mon Sep 17 00:00:00 2001
From: Excellencedev <ademiluyisuccessandexcellence@gmail.com>
Date: Sat, 17 Jan 2026 16:02:41 +0100
Subject: [PATCH] CrossRepoMode tests

---
 models/repo/repo_unit.go                    |  2 +-
 tests/integration/actions_job_token_test.go | 26 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
index 86a16a3804..b7743128a7 100644
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -320,7 +320,7 @@ type ActionsConfig struct {
 	MaxTokenPermissions *ActionsTokenPermissions `json:"max_token_permissions,omitempty"`
 	// CrossRepoMode indicates which repos in the org can be accessed (none, all, or selected)
 	CrossRepoMode ActionsCrossRepoMode `json:"cross_repo_mode,omitempty"`
-	// AllowedCrossRepoIDs is a list of specific repo IDs that can be accessed cross-repo (empty means all if AllowCrossRepoAccess is true)
+	// AllowedCrossRepoIDs is a list of specific repo IDs that can be accessed cross-repo (only used if CrossRepoMode is ActionsCrossRepoModeSelected)
 	AllowedCrossRepoIDs []int64 `json:"allowed_cross_repo_ids,omitempty"`
 	// OverrideOrgConfig indicates if this repository should override the organization-level configuration
 	OverrideOrgConfig bool `json:"override_org_config,omitempty"`
diff --git a/tests/integration/actions_job_token_test.go b/tests/integration/actions_job_token_test.go
index 1d8ce58bc4..f9fcc63b5e 100644
--- a/tests/integration/actions_job_token_test.go
+++ b/tests/integration/actions_job_token_test.go
@@ -510,6 +510,32 @@ func TestActionsCrossRepoAccess(t *testing.T) {
 			writeReq.Header.Set("Authorization", "Bearer "+task.Token)
 			MakeRequest(t, writeReq, http.StatusUnauthorized)
 		})
+
+		// 7. Test Cross-Repo Access - Specific Repositories
+		t.Run("Cross-Repo Access - Specific Repositories", func(t *testing.T) {
+			// Set mode to Selected with ONLY repo-B
+			require.NoError(t, actions_model.SetOrgActionsConfig(t.Context(), org.ID, &repo_model.ActionsConfig{
+				CrossRepoMode:       repo_model.ActionsCrossRepoModeSelected,
+				AllowedCrossRepoIDs: []int64{repoBID},
+			}))
+
+			// Access to repo-B should succeed
+			testCtx.Reponame = "repo-B"
+			testCtx.ExpectedCode = http.StatusOK
+			doAPIGetRepository(testCtx, func(t *testing.T, r structs.Repository) {
+				assert.Equal(t, "repo-B", r.Name)
+			})(t)
+
+			// Remove repo-B from allowed list
+			require.NoError(t, actions_model.SetOrgActionsConfig(t.Context(), org.ID, &repo_model.ActionsConfig{
+				CrossRepoMode:       repo_model.ActionsCrossRepoModeSelected,
+				AllowedCrossRepoIDs: []int64{}, // Empty list
+			}))
+
+			// Access to repo-B should fail (404)
+			testCtx.ExpectedCode = http.StatusNotFound
+			doAPIGetRepository(testCtx, nil)(t)
+		})
 	})
 }