go-gitea · lunny · Mar 21, 2026 · Jan 5, 2026 · Jan 5, 2026 · Jan 5, 2026
diff --git a/cmd/hook.go b/cmd/hook.go
@@ -194,7 +194,7 @@ Gitea or set your environment appropriately.`, "")
 	userID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPusherID), 10, 64)
 	prID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvPRID), 10, 64)
 	deployKeyID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvDeployKeyID), 10, 64)
-	actionPerm, _ := strconv.Atoi(os.Getenv(repo_module.EnvActionPerm))
+	actionsTaskID, _ := strconv.ParseInt(os.Getenv(repo_module.EnvActionsTaskID), 10, 64)
 
 	hookOptions := private.HookOptions{
 		UserID:                          userID,
@@ -204,7 +204,7 @@ Gitea or set your environment appropriately.`, "")
 		GitPushOptions:                  pushOptions(),
 		PullRequestID:                   prID,
 		DeployKeyID:                     deployKeyID,
-		ActionPerm:                      actionPerm,
+		ActionsTaskID:                   actionsTaskID,
 		IsWiki:                          isWiki,
 	}
 

diff --git a/models/actions/config.go b/models/actions/config.go
@@ -0,0 +1,74 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
+
+	"xorm.io/xorm/convert"
+)
+
+// OwnerActionsConfig defines the Actions configuration for a user or organization
+type OwnerActionsConfig struct {
+	// TokenPermissionMode defines the default permission mode (permissive, restricted)
+	TokenPermissionMode repo_model.ActionsTokenPermissionMode `json:"token_permission_mode,omitempty"`
+
+	// MaxTokenPermissions defines the absolute maximum permissions any token can have in this context.
+	MaxTokenPermissions *repo_model.ActionsTokenPermissions `json:"max_token_permissions,omitempty"`
+
+	// AllowedCrossRepoIDs is a list of specific repo IDs that can be accessed cross-repo
+	AllowedCrossRepoIDs []int64 `json:"allowed_cross_repo_ids,omitempty"`
+}
+
+var _ convert.ConversionFrom = (*OwnerActionsConfig)(nil)
+
+func (cfg *OwnerActionsConfig) FromDB(bytes []byte) error {
+	_ = json.Unmarshal(bytes, cfg)
+	cfg.TokenPermissionMode, _ = util.EnumValue(cfg.TokenPermissionMode)
+	return nil
+}
+
+// GetOwnerActionsConfig loads the OwnerActionsConfig for a user or organization from user settings
+// It returns a default config if no setting is found
+func GetOwnerActionsConfig(ctx context.Context, userID int64) (ret OwnerActionsConfig, err error) {
+	return user_model.GetUserSettingJSON(ctx, userID, user_model.SettingsKeyActionsConfig, ret)
+}
+
+// SetOwnerActionsConfig saves the OwnerActionsConfig for a user or organization to user settings
+func SetOwnerActionsConfig(ctx context.Context, userID int64, cfg OwnerActionsConfig) error {
+	return user_model.SetUserSettingJSON(ctx, userID, user_model.SettingsKeyActionsConfig, cfg)
+}
+
+// GetDefaultTokenPermissions returns the default token permissions by its TokenPermissionMode.
+func (cfg *OwnerActionsConfig) GetDefaultTokenPermissions() repo_model.ActionsTokenPermissions {
+	switch cfg.TokenPermissionMode {
+	case repo_model.ActionsTokenPermissionModeRestricted:
+		return repo_model.MakeRestrictedPermissions()
+	case repo_model.ActionsTokenPermissionModePermissive:
+		return repo_model.MakeActionsTokenPermissions(perm.AccessModeWrite)
+	default:
+		return repo_model.MakeActionsTokenPermissions(perm.AccessModeNone)
+	}
+}
+
+// GetMaxTokenPermissions returns the maximum allowed permissions
+func (cfg *OwnerActionsConfig) GetMaxTokenPermissions() repo_model.ActionsTokenPermissions {
+	if cfg.MaxTokenPermissions != nil {
+		return *cfg.MaxTokenPermissions
+	}
+	// Default max is write for everything
+	return repo_model.MakeActionsTokenPermissions(perm.AccessModeWrite)
+}
+
+// ClampPermissions ensures that the given permissions don't exceed the maximum
+func (cfg *OwnerActionsConfig) ClampPermissions(perms repo_model.ActionsTokenPermissions) repo_model.ActionsTokenPermissions {
+	maxPerms := cfg.GetMaxTokenPermissions()
+	return repo_model.ClampActionsTokenPermissions(perms, maxPerms)
+}
diff --git a/models/actions/run_job.go b/models/actions/run_job.go
@@ -51,6 +51,11 @@ type ActionRunJob struct {
 	ConcurrencyGroup  string `xorm:"index(repo_concurrency) NOT NULL DEFAULT ''"` // evaluated concurrency.group
 	ConcurrencyCancel bool   `xorm:"NOT NULL DEFAULT FALSE"`                      // evaluated concurrency.cancel-in-progress
 
+	// TokenPermissions stores the explicit permissions from workflow/job YAML (no org/repo clamps applied).
+	// Org/repo clamps are enforced when the token is used at runtime.
+	// It is JSON-encoded repo_model.ActionsTokenPermissions and may be empty if not specified.
+	TokenPermissions *repo_model.ActionsTokenPermissions `xorm:"JSON TEXT"`
+
 	Started timeutil.TimeStamp
 	Stopped timeutil.TimeStamp
 	Created timeutil.TimeStamp `xorm:"created"`

diff --git a/models/actions/token_permissions.go b/models/actions/token_permissions.go
@@ -0,0 +1,60 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
+)
+
+// ComputeTaskTokenPermissions computes the effective permissions for a job token against the target repository.
+// It uses the job's stored permissions (if any), then applies org/repo clamps and fork/cross-repo restrictions.
+// Note: target repository access policy checks are enforced in GetActionsUserRepoPermission; this function only computes the job token's effective permission ceiling.
+func ComputeTaskTokenPermissions(ctx context.Context, task *ActionTask, targetRepo *repo_model.Repository) (ret repo_model.ActionsTokenPermissions, err error) {
+	if err := task.LoadJob(ctx); err != nil {
+		return ret, err
+	}
+	if err := task.Job.LoadRepo(ctx); err != nil {
+		return ret, err
+	}
+	runRepo := task.Job.Repo
+
+	if err := runRepo.LoadOwner(ctx); err != nil {
+		return ret, err
+	}
+
+	repoActionsCfg := runRepo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+	ownerActionsCfg, err := GetOwnerActionsConfig(ctx, runRepo.OwnerID)
+	if err != nil {
+		return ret, err
+	}
+
+	var jobDeclaredPerms repo_model.ActionsTokenPermissions
+	if task.Job.TokenPermissions != nil {
+		jobDeclaredPerms = *task.Job.TokenPermissions
+	} else if repoActionsCfg.OverrideOwnerConfig {
+		jobDeclaredPerms = repoActionsCfg.GetDefaultTokenPermissions()
+	} else {
+		jobDeclaredPerms = ownerActionsCfg.GetDefaultTokenPermissions()
+	}
+
+	var effectivePerms repo_model.ActionsTokenPermissions
+	if repoActionsCfg.OverrideOwnerConfig {
+		effectivePerms = repoActionsCfg.ClampPermissions(jobDeclaredPerms)
+	} else {
+		effectivePerms = ownerActionsCfg.ClampPermissions(jobDeclaredPerms)
+	}
+
+	// Cross-repository access and fork pull requests are strictly read-only for security.
+	// This ensures a "task repo" cannot gain write access to other repositories via CrossRepoAccess settings.
+	isSameRepo := task.Job.RepoID == targetRepo.ID
+	restrictCrossRepoAccess := task.IsForkPullRequest || !isSameRepo
+	if restrictCrossRepoAccess {
+		effectivePerms = repo_model.ClampActionsTokenPermissions(effectivePerms, repo_model.MakeRestrictedPermissions())
+	}
+
+	return effectivePerms, nil
+}
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
@@ -402,6 +402,7 @@ func prepareMigrationTasks() []*migration {
 		newMigration(325, "Fix missed repo_id when migrate attachments", v1_26.FixMissedRepoIDWhenMigrateAttachments),
 		newMigration(326, "Migrate commit status target URL to use run ID and job ID", v1_26.FixCommitStatusTargetURLToUseRunAndJobID),
 		newMigration(327, "Add disabled state to action runners", v1_26.AddDisabledToActionRunner),
+		newMigration(328, "Add TokenPermissions column to ActionRunJob", v1_26.AddTokenPermissionsToActionRunJob),
 	}
 	return preparedMigrations
 }

diff --git a/models/migrations/v1_26/v328.go b/models/migrations/v1_26/v328.go
@@ -0,0 +1,16 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_26
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddTokenPermissionsToActionRunJob(x *xorm.Engine) error {
+	type ActionRunJob struct {
+		TokenPermissions string `xorm:"JSON TEXT"`
+	}
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(ActionRunJob))
+	return err
+}
diff --git a/models/perm/access/actions_repo_permission_test.go b/models/perm/access/actions_repo_permission_test.go
@@ -0,0 +1,155 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package access
+
+import (
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/models/db"
+	perm_model "code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetActionsUserRepoPermission(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	ctx := t.Context()
+
+	// Use fixtures for repos and users
+	repo4 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})   // Public, Owner 5, has Actions unit
+	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})   // Private, Owner 2, no Actions unit in fixtures
+	repo15 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 15}) // Private, Owner 2, no Actions unit in fixtures
+	owner2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	actionsUser := user_model.NewActionsUser()
+
+	// Ensure repo2 and repo15 have Actions units for testing configuration
+	for _, r := range []*repo_model.Repository{repo2, repo15} {
+		require.NoError(t, db.Insert(ctx, &repo_model.RepoUnit{
+			RepoID: r.ID,
+			Type:   unit.TypeActions,
+			Config: &repo_model.ActionsConfig{},
+		}))
+	}
+
+	t.Run("SameRepo_Public", func(t *testing.T) {
+		task47 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 47})
+		require.Equal(t, repo4.ID, task47.RepoID)
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo4, actionsUser, task47.ID)
+		require.NoError(t, err)
+
+		// Public repo, bot should have Read access even if not collaborator
+		assert.Equal(t, perm_model.AccessModeNone, perm.AccessMode)
+		assert.True(t, perm.CanRead(unit.TypeCode))
+	})
+
+	t.Run("SameRepo_Private", func(t *testing.T) {
+		// Use Task 53 which is already in Repo 2 (Private)
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+		require.Equal(t, repo2.ID, task53.RepoID)
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo2, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Private repo, bot has no base access, but gets Write from effective tokens perms (Permissive by default)
+		assert.Equal(t, perm_model.AccessModeNone, perm.AccessMode)
+		assert.True(t, perm.CanWrite(unit.TypeCode))
+	})
+
+	t.Run("CrossRepo_Denied_None", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+
+		// Set owner policy to nil allowed repos (None)
+		cfg := actions_model.OwnerActionsConfig{}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, cfg))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo15, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Should NOT have access to the private repo.
+		assert.False(t, perm.CanRead(unit.TypeCode))
+	})
+
+	t.Run("ForkPR_NoCrossRepo", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+		task53.IsForkPullRequest = true
+		require.NoError(t, actions_model.UpdateTask(ctx, task53, "is_fork_pull_request"))
+
+		// Policy contains repo15
+		cfg := actions_model.OwnerActionsConfig{
+			AllowedCrossRepoIDs: []int64{repo15.ID},
+		}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, cfg))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo15, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Fork PR never gets cross-repo access to other private repos
+		assert.False(t, perm.CanRead(unit.TypeCode))
+	})
+
+	t.Run("Inheritance_And_Clamping", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+		task53.IsForkPullRequest = false
+		require.NoError(t, actions_model.UpdateTask(ctx, task53, "is_fork_pull_request"))
+
+		// Owner policy: Restricted mode (Read-only Code)
+		ownerCfg := actions_model.OwnerActionsConfig{
+			TokenPermissionMode: repo_model.ActionsTokenPermissionModeRestricted,
+			MaxTokenPermissions: &repo_model.ActionsTokenPermissions{
+				UnitAccessModes: map[unit.Type]perm_model.AccessMode{
+					unit.TypeCode: perm_model.AccessModeRead,
+				},
+			},
+		}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, ownerCfg))
+
+		// Repo policy: OverrideOwnerConfig = false (should inherit owner's restricted mode)
+		repo2ActionsUnit := repo2.MustGetUnit(ctx, unit.TypeActions)
+		repo2ActionsCfg := repo2ActionsUnit.ActionsConfig()
+		repo2ActionsCfg.OverrideOwnerConfig = false
+		require.NoError(t, repo_model.UpdateRepoUnitConfig(ctx, repo2ActionsUnit))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo2, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Should be clamped to Read-only
+		assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeCode))
+		assert.False(t, perm.CanWrite(unit.TypeCode))
+	})
+
+	t.Run("RepoOverride_Clamping", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+
+		// Owner policy: Permissive (Write access)
+		ownerCfg := actions_model.OwnerActionsConfig{
+			TokenPermissionMode: repo_model.ActionsTokenPermissionModePermissive,
+		}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, ownerCfg))
+
+		// Repo policy: OverrideOwnerConfig = true, MaxTokenPermissions = Read
+		repo2ActionsUnit := repo2.MustGetUnit(ctx, unit.TypeActions)
+		repo2ActionsCfg := repo2ActionsUnit.ActionsConfig()
+		repo2ActionsCfg.OverrideOwnerConfig = true
+		repo2ActionsCfg.TokenPermissionMode = repo_model.ActionsTokenPermissionModeRestricted
+		repo2ActionsCfg.MaxTokenPermissions = &repo_model.ActionsTokenPermissions{
+			UnitAccessModes: map[unit.Type]perm_model.AccessMode{
+				unit.TypeCode: perm_model.AccessModeRead,
+			},
+		}
+		require.NoError(t, repo_model.UpdateRepoUnitConfig(ctx, repo2ActionsUnit))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo2, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Should be clamped to Read-only
+		assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeCode))
+	})
+}