From a0cfa82db75dce28e89686d64efb73ee72d6020d Mon Sep 17 00:00:00 2001 From: Hailey Somerville Date: Thu, 14 Aug 2025 13:12:12 +1000 Subject: [PATCH] allow actions tokens to access public repos of public/limited owners --- models/perm/access/repo_permission.go | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go index 73866cb549..3657f55c4a 100644 --- a/models/perm/access/repo_permission.go +++ b/models/perm/access/repo_permission.go @@ -166,7 +166,23 @@ func GetActionRepoPermission(ctx context.Context, repo *repo_model.Repository, t return actionsTaskRepoPermission(ctx, repo, mode) } - return Permission{AccessMode: perm_model.AccessModeNone}, nil + // actions tasks may not access any other private repo + if repo.IsPrivate { + return Permission{AccessMode: perm_model.AccessModeNone}, nil + } + + // load owner for visibility check + if err := repo.LoadOwner(ctx); err != nil { + return Permission{}, err + } + + // actions tokens may not access repos belonging to private users/orgs + if repo.Owner.Visibility.IsPrivate() { + return Permission{AccessMode: perm_model.AccessModeNone}, nil + } + + // otherwise, actions tasks may read public repos belonging to public or limited owners + return actionsTaskRepoPermission(ctx, repo, perm_model.AccessModeRead) } // GetUserRepoPermission returns the user permissions to the repository