feat: Add configurable permissions for Actions automatic tokens #36173
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/translation
modifies/go
|
@lunny @wxiaoguang Please review this |
|
Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review. |
@silverwind Please review |
|
I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly. |
No problem |
|
By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code. What are the differences? Which PR would win ....... @Zettat123 |
This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization) It seems that #36113 implemented these features, but I think its code needs improvement. |
|
Issues I see on this screenshot: 
I can probably help fix those, the first one may be a missing override of the fomantic CSS. |
|
@Zettat123 @silverwind Pls give me a few hours(15-20 hours) and this PR will be ready to go |
But "PR: Feat/actions token permissions #36113" came first, and it is more complete, why not respect the first author, but only review this second one? |
@wxiaoguang should i close my pr ? |
I don't know. Reviewers decide. |
I reviewed both PRs, but did not receive responses to my comments in #36113. If @Excellencedev will address the review comments, I think we should keep this PR. |
|
Imho, the only sensible thing we can do is race these 2 PRs. |
|
Adressed most your comments in my latest commit, now i just need to make sure i fully implement the proposal in #24635 |
| // DefaultTokenPermissions defines the default permissions for workflow tokens | ||
| DefaultTokenPermissions *ActionsTokenPermissions `json:"default_token_permissions,omitempty"` | ||
| // MaxTokenPermissions defines the maximum permissions (cannot be exceeded by workflow permissions keyword) | ||
| MaxTokenPermissions *ActionsTokenPermissions `json:"max_token_permissions,omitempty"` |
There was a problem hiding this comment.
I didn't find a form on the settings page to configure MaxTokenPermissions, is it unused?
|
According to the solution in #24635, I think this PR does not implement:
|
Ok no problem. I'm working on it |
github-actions
bot
added
the
modifies/api
5 participants
Summary
Implements Issue #24635 - Support configuring permissions of automatic tokens for Actions jobs.
This PR adds the ability to configure the default permissions granted to the GITHUB_TOKEN when running workflow jobs in a repository. Users can now choose between:
Changes
Backend
Extended
ActionsConfigstruct inmodels/repo/repo_unit.gowith:ActionsTokenPermissionModetype (permissive/restricted)ActionsTokenPermissionsstruct for per-unit permissions (Contents, Issues, PullRequests, Packages, Actions, Wiki)Modified
GetActionsUserRepoPermissioninmodels/perm/access/repo_permission.goto use configurable per-unit permissions instead of hardcoded access modesAdded
UpdateTokenPermissionshandler inrouters/web/repo/setting/actions.goFrontend
options/locale/locale_en-US.iniTests
models/repo/repo_unit_test.gofor token permission methodsTestActionsTokenPermissionsModesintests/integration/actions_job_token_test.goScreenshots
The new Token Permissions section appears in Settings → Actions → General:
Notes
Related Issues
Closes #24635
/claim #24635