Support actions and reusable workflows from private repos #32562
+408
−45
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/translation
modifies/go
|
For changes in |
yp05327
reviewed
Nov 25, 2024
yp05327
reviewed
Nov 25, 2024
github-actions
bot
added
modifies/api
|
Is this related to #24635 ? |
|
Any progress for it? |
|
Any progress there? |
|
Any movement here? This would really really help us in our Gitea Cloud account. |
|
Zettat123
force-pushed
the
private-reusable-workflow
branch
from
01211b3 to
82d368c
Compare
Zettat123
force-pushed
the
private-reusable-workflow
branch
from
203ad9c to
01035bd
Compare
lunny
reviewed
Oct 8, 2025
lunny
added
the
docs-update-needed
github-actions
bot
removed
the
docs-update-needed
Co-authored-by: ChristopherHX <christopher.homberger@web.de> Signed-off-by: Zettat123 <zettat123@gmail.com>
Zettat123
added
the
docs-update-needed
lunny
approved these changes
Oct 14, 2025
GiteaBot
added
lgtm/need 1
chhe
pushed a commit
to chhe/act
that referenced
this pull request
Oct 14, 2025
Related to go-gitea/gitea#32562 Resolve https://gitea.com/gitea/act_runner/issues/102 To support using actions and workflows from private repositories, we need to enable act_runner to clone private repositories. ~~But it is not easy to know if a repository is private and whether a token is required when cloning. In this PR, I added a new option `RetryToken`. By default, token is empty. When cloning a repo returns an `authentication required` error, `act_runner` will try to clone the repo again using `RetryToken` as the token.~~ In this PR, I added a new `getGitCloneToken` function. This function returns `GITEA_TOKEN` for cloning remote actions or remote reusable workflows when the cloneURL is from the same Gitea instance that the runner is registered to. Otherwise, it returns an empty string as token for cloning public repos from other instances (such as GitHub). Thanks @ChristopherHX for https://gitea.com/gitea/act/pulls/123#issuecomment-1046171 and https://gitea.com/gitea/act/pulls/123#issuecomment-1046285. Reviewed-on: https://gitea.com/gitea/act/pulls/123 Reviewed-by: ChristopherHX <christopherhx@noreply.gitea.com> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-committed-by: Zettat123 <zettat123@gmail.com>
github-actions
bot
removed
the
docs-update-needed
|
I think we should rewrite Lines 198 to 201 in 38dd432 My expectation was, I can use gitea.token to clone any public repository from my gitea instance. However I was wrong and we didn't seem to had any test on act_runner side to prevent the act change from merge. |
|
Found duplicated permission checks in Lines 191 to 214 in ebd88af Maybe those should use a common function, githttp access and no api access is odd. |
Signed-off-by: Zettat123 <zettat123@gmail.com>
Comment on lines
+269
to
+282
| if task.RepoID != repo.ID { | ||
| taskRepo, exist, err := db.GetByID[repo_model.Repository](ctx, task.RepoID) | ||
| if err != nil || !exist { | ||
| return perm, err | ||
| } | ||
| actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig() | ||
| if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate { | ||
| // The task repo can access the current repo only if the task repo is private and | ||
| // the owner of the task repo is a collaborative owner of the current repo. | ||
| // FIXME allow public repo read access if tokenless pull is enabled | ||
| return perm, nil | ||
| } | ||
| accessMode = perm_model.AccessModeRead | ||
| } else if task.IsForkPullRequest { |
There was a problem hiding this comment.
Please double check this change, migrated your permission check.
This feels like we need action token tests for this as well, not only api manage tests
There was a problem hiding this comment.
Thanks for the change, I think it looks good.
I updated the test, please review:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolve https://gitea.com/gitea/act_runner/issues/102
This PR allows administrators of a private repository to specify some collaborative owners. The repositories of collaborative owners will be allowed to access this repository's actions and workflows.
Settings for private repos:
This PR also moves "Enable Actions" setting to
Actions > Generalpage