Public visible repository even with REQUIRE_SIGNIN_VIEW set to true (e.g. for Gitea Actions)

[TheMasterFX]

Feature Description

It would be good if Gitea is able to have one or more repositories or organisations that could be accessed without login, even if REQUIRE_SIGNIN_VIEW is set to true. It does not necessarily have to be visible in the web interface, but at least clonable if the URL is known.

Background:
In our company we have regulations that prohibit making internally created code visible to unauthenticated employees (need to know). However, since we do not have a direct internet connection from our servers, and we still want to use Gitea actions that are hosted in the Gitea instance itself (e.g. https://ourgitea.example.com/actions/....). But if we want to use it now we have to work with secrets or deploy keys with absolute URLs for actions when we create a CI/CD workflow, which is very unfortunate for portability.
Maybe I'm just making a mistake in thinking or there are already other solutions for this use case. Maybe it is even the right approach to create a special "gitea" user with permissions to all repositories and to work with access tokens which are then entered in the DEFAULT_ACTIONS_URL.

Screenshots

No response

[lunny]

I think Actions repositories could be public/limited but not private so that every login user could visit it?

[TheMasterFX]

Yes but if REQUIRE_SIGNIN_VIEW is enabled even public can't be accessed without account

[Shuenhoy]

We found a workaround for this problem.
We create a special account that is Restricted (i.e it cannot access anything unless it is granted the permission explicitly).
Then we create a sub site in our caddy proxy pub.git.tld, where a readonly PAT of that account is passed to gitea.

handle @gitpub {
reverse_proxy server:3000 {
	header_up Authorization {env.GITEA_PUB_SECRET}
}
}

This generally generally works well, but with two limitations:

• For actions, we have to write use https://pub.git.tld/actions/xxxx.
• This does not work for the packages of a private account, as we cannot grant the access of a private account to another account.

[bioinformatist]

@lunny We also met the problem. Can we add such a feature for supporting it?

[adriensamson]

Hello, I came across this issue today and I have found another workaround: requiring login only for explore.
With this config, anonymous users can view and clone public repos if (and only if) they know the URL.

[service]
REQUIRE_SIGNIN_VIEW = false
[service.explore]
REQUIRE_SIGNIN_VIEW = true