Skip to content

Support actions and reusable workflows from private repos #32562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Oct 25, 2025
Merged

Support actions and reusable workflows from private repos #32562

merged 24 commits into from
Oct 25, 2025
+408 −45

Conversation

@Zettat123
Copy link
Contributor

@Zettat123 Zettat123 commented Nov 19, 2024
edited
Loading

Resolve https://gitea.com/gitea/act_runner/issues/102

This PR allows administrators of a private repository to specify some collaborative owners. The repositories of collaborative owners will be allowed to access this repository's actions and workflows.

Settings for private repos:

image

This PR also moves "Enable Actions" setting to Actions > General page

image image

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 19, 2024
@github-actions github-actions bot added modifies/translation modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files labels Nov 19, 2024
@pull-request-size pull-request-size bot added size/L and removed size/M labels Nov 20, 2024
@Zettat123 Zettat123 marked this pull request as ready for review November 20, 2024 08:17
@Zettat123
Copy link
Contributor Author

Zettat123 commented Nov 20, 2024
edited
Loading

To support this feature, act_runner also needs some improvements, which I am working on.

For changes in act_runner, see https://gitea.com/gitea/act/pulls/123

@Zettat123
Copy link
Contributor Author

Docs: https://gitea.com/gitea/docs/pulls/107

@Zettat123 Zettat123 marked this pull request as draft November 25, 2024 02:39
yp05327
yp05327 reviewed Nov 25, 2024
View reviewed changes
yp05327
yp05327 reviewed Nov 25, 2024
View reviewed changes
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/frontend labels Nov 26, 2024
@lunny
Copy link
Member

lunny commented Dec 21, 2024

Is this related to #24635 ?

@SamuNatsu
Copy link

Any progress for it?

@IBims1ckoky
Copy link

Any progress there?

@codeguy
Copy link

codeguy commented Aug 30, 2025

Any movement here? This would really really help us in our Gitea Cloud account.

@lunny
Copy link
Member

lunny commented Aug 30, 2025
edited
Loading

Any movement here? This would really really help us in our Gitea Cloud account.

I will take the task.

@Zettat123 Zettat123 force-pushed the private-reusable-workflow branch from 01211b3 to 82d368c Compare September 17, 2025 00:29
@Zettat123 Zettat123 force-pushed the private-reusable-workflow branch from 203ad9c to 01035bd Compare October 8, 2025 00:21
@Zettat123 Zettat123 marked this pull request as ready for review October 8, 2025 01:49
lunny
lunny reviewed Oct 8, 2025
View reviewed changes
@ChristopherHX ChristopherHX mentioned this pull request Oct 17, 2025
Closed
@ChristopherHX
Copy link
Contributor

Found duplicated permission checks in

gitea/routers/api/v1/api.go

Lines 191 to 214 in ebd88af

if ctx.Doer != nil && ctx.Doer.ID == user_model.ActionsUserID {
taskID := ctx.Data["ActionsTaskID"].(int64)
task, err := actions_model.GetTaskByID(ctx, taskID)
if err != nil {
ctx.APIErrorInternal(err)
return
}
if task.RepoID != repo.ID {
ctx.APIErrorNotFound()
return
}
if task.IsForkPullRequest {
ctx.Repo.Permission.AccessMode = perm.AccessModeRead
} else {
ctx.Repo.Permission.AccessMode = perm.AccessModeWrite
}
if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
ctx.APIErrorInternal(err)
return
}
ctx.Repo.Permission.SetUnitsWithDefaultAccessMode(ctx.Repo.Repository.Units, ctx.Repo.Permission.AccessMode)
} else {

Maybe those should use a common function, githttp access and no api access is odd.

@ChristopherHX
Copy link
Contributor

ChristopherHX commented Oct 17, 2025
edited
Loading

Then lfs again, 3 times same code

gitea/services/lfs/server.go

Lines 523 to 537 in ebd88af

taskID := ctx.Data["ActionsTaskID"].(int64)
task, err := actions_model.GetTaskByID(ctx, taskID)
if err != nil {
log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err)
return false
}
if task.RepoID != repository.ID {
return false
}
if task.IsForkPullRequest {
return accessMode <= perm_model.AccessModeRead
}
return accessMode <= perm_model.AccessModeWrite
}

See here for my proposal: #35688, then only a single method decides wether and what level you can access an repository via an actions token

@Zettat123
Copy link
Contributor Author

See here for my proposal: #35688, then only a single method decides wether and what level you can access an repository via an actions token

I convert this PR to Draft and will improve the permission check after #35688 is merged.

@Zettat123 Zettat123 marked this pull request as draft October 17, 2025 15:12
ChristopherHX
ChristopherHX reviewed Oct 22, 2025
View reviewed changes
@Zettat123 Zettat123 marked this pull request as ready for review October 25, 2025 14:40
@ChristopherHX
Copy link
Contributor

ChristopherHX commented Oct 25, 2025
edited
Loading

EDIT My fault test-repo was public instead of private

 Could it be a private org is broken? Or is this nightly act_runner from https://dl.gitea.com/ not up to date.

test-runner(version:v0.2.13-3-g3b11bac) received task 6 of job test, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
☁ git clone 'http://localhost:3005/private-actions/actions' # ref=main
cloning http://localhost:3005/private-actions/actions to /Users/christopher/.cache/act/5eac0f0b31fdc5958b4a6e5102b8d6235e0c4c726cc6a1300814391765f96d54
Unable to clone http://localhost:3005/private-actions/actions refs/heads/main: repository not found: Repository not found
repository not found: Repository not found
skipping post step for 'Checkout code'; step was not executed
Cleaning up container for job test
🏁 Job failed
repository not found: Repository not found

Or the server_url is incorrect etc.
image
image

@Zettat123
Copy link
Contributor Author

Could it be a private org is broken? Or is this nightly act_runner from https://dl.gitea.com/ not up to date.

I can't reproduce this issue. Can you make test01/test-repo private and try again?

@ChristopherHX
Copy link
Contributor

well good point, missed my own repo visibility.

ChristopherHX
ChristopherHX approved these changes Oct 25, 2025
View reviewed changes
Copy link
Contributor

@ChristopherHX ChristopherHX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, we could later enhance troubleshooting

  • by log more information around repository not found
  • if act_runner did an authenticated pull

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 25, 2025
@ChristopherHX
Copy link
Contributor

act could check own repo visibility in it's payload when getting repository not found with token and log an actionable message

@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 25, 2025
@lunny lunny enabled auto-merge (squash) October 25, 2025 17:22
@lunny lunny merged commit c9beb0b into go-gitea:main Oct 25, 2025
26 checks passed
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yp05327 yp05327 yp05327 left review comments

@lunny lunny lunny approved these changes

@ChristopherHX ChristopherHX ChristopherHX approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/frontend modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/translation topic/gitea-actions related to the actions of Gitea

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

9 participants

@Zettat123 @lunny @SamuNatsu @IBims1ckoky @codeguy @ChristopherHX @yp05327 @techknowlogick @GiteaBot