actions from private repos

2025-01-21 20:17:44 +01:00 · 2024-11-19 17:34:06 +08:00 · 2024-11-19 17:34:06 +08:00 · 833def96cf
commit 833def96cf
parent 5eb0ee49a1
8 changed files with 63 additions and 4 deletions
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@ -169,7 +169,8 @@ func (cfg *PullRequestsConfig) GetDefaultMergeStyle() MergeStyle {
 }

 type ActionsConfig struct {
-	DisabledWorkflows []string
+	DisabledWorkflows       []string
+	AccessbleFromOtherRepos bool
 }

 func (cfg *ActionsConfig) EnableWorkflow(file string) {
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -3751,6 +3751,11 @@ variables.creation.success = The variable "%s" has been added.
 variables.update.failed = Failed to edit variable.
 variables.update.success = The variable has been edited.

+general = General
+general.settings = Actions General Settings
+general.actions_accessible_from_other_repositories = Accessible from repositories owned by '%s'
+general.actions_accessible_from_other_repositories_desc = Workflows in other repositories that are owned by the user '%s' can access the actions and reusable workflows in this repository. Access is allowed only from private repositories.
+
 [projects]
 deleted.display_name = Deleted Project
 type-1.display_name = Individual Project
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@ -195,8 +195,16 @@ func httpBase(ctx *context.Context) *serviceHandler {
 					return nil
 				}
 				if task.RepoID != repo.ID {
-					ctx.PlainText(http.StatusForbidden, "User permission denied")
-					return nil
+					taskRepo, err := repo_model.GetRepositoryByID(ctx, task.RepoID)
+					if err != nil {
+						ctx.ServerError("GetRepositoryByID", err)
+						return nil
+					}
+					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+					if !taskRepo.IsPrivate || taskRepo.OwnerID != repo.OwnerID || !actionsCfg.AccessbleFromOtherRepos {
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return nil
+					}
 				}

 				if task.IsForkPullRequest {
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@ -0,0 +1,23 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/services/context"
+)
+
+const (
+	tplRepoActionsGeneral base.TplName = "repo/settings/actions"
+)
+
+func ActionsGeneral(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.general")
+	ctx.Data["PageType"] = "general"
+	ctx.Data["PageIsActionsSettingsGeneral"] = true
+
+	ctx.HTML(http.StatusOK, tplRepoActionsGeneral)
+}
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -1133,6 +1133,7 @@ func registerRoutes(m *web.Router) {
 			addSettingsRunnersRoutes()
 			addSettingsSecretsRoutes()
 			addSettingsVariablesRoutes()
+			m.Get("/general", repo_setting.ActionsGeneral)
 		}, actions.MustEnableActions)
 		// the follow handler must be under "settings", otherwise this incomplete repo can't be accessed
 		m.Group("/migrate", func() {
--- a/templates/repo/settings/actions.tmpl
+++ b/templates/repo/settings/actions.tmpl
@ -6,6 +6,8 @@
 			{{template "shared/secrets/add_list" .}}
 		{{else if eq .PageType "variables"}}
 			{{template "shared/variables/variable_list" .}}
+		{{else if eq .PageType "general"}}
+			{{template "repo/settings/actions_general" .}}
 		{{end}}
 	</div>
 {{template "repo/settings/layout_footer" .}}
--- a/templates/repo/settings/actions_general.tmpl
+++ b/templates/repo/settings/actions_general.tmpl
@ -0,0 +1,16 @@
+<div class="repo-setting-content">
+  <h4 class="ui top attached header">
+    {{ctx.Locale.Tr "actions.general.settings"}}
+  </h4>
+  <div class="ui attached segment">
+    <form class="ui form" method="post">
+      <div id="actions_accessible_from_other_repositories_box" class="field">
+        <div class="ui checkbox">
+          <input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox">
+          <label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
+          <p class="help">{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}</p>
+        </div>
+      </div>
+    </form>
+  </div>
+</div>
--- a/templates/repo/settings/navbar.tmpl
+++ b/templates/repo/settings/navbar.tmpl
@ -34,7 +34,7 @@
 			{{end}}
 		{{end}}
 		{{if and .EnableActions (.Permission.CanRead ctx.Consts.RepoUnitTypeActions)}}
-		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
+		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables .PageIsActionsSettingsGeneral}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
 			<div class="menu">
 				<a class="{{if .PageIsSharedSettingsRunners}}active {{end}}item" href="{{.RepoLink}}/settings/actions/runners">
@ -46,6 +46,9 @@
 				<a class="{{if .PageIsSharedSettingsVariables}}active {{end}}item" href="{{.RepoLink}}/settings/actions/variables">
 					{{ctx.Locale.Tr "actions.variables"}}
 				</a>
+				<a class="{{if .PageIsActionsSettingsGeneral}}active {{end}}item" href="{{.RepoLink}}/settings/actions/general">
+					{{ctx.Locale.Tr "actions.general"}}
+				</a>
 			</div>
 		</details>
 		{{end}}