allow actions tokens to access public repos of public/limited owners

models/perm/access/repo_permission.go

@@ -166,9 +166,25 @@ func GetActionRepoPermission(ctx context.Context, repo *repo_model.Repository, t
 		return actionsTaskRepoPermission(ctx, repo, mode)
 	}
 
+	// actions tasks may not access any other private repo
+	if repo.IsPrivate {
 		return Permission{AccessMode: perm_model.AccessModeNone}, nil
 	}
 
+	// load owner for visibility check
+	if err := repo.LoadOwner(ctx); err != nil {
+		return Permission{}, err
+	}
+
+	// actions tokens may not access repos belonging to private users/orgs
+	if repo.Owner.Visibility.IsPrivate() {
+		return Permission{AccessMode: perm_model.AccessModeNone}, nil
+	}
+
+	// otherwise, actions tasks may read public repos belonging to public or limited owners
+	return actionsTaskRepoPermission(ctx, repo, perm_model.AccessModeRead)
+}
+
 // GetUserRepoPermission returns the user permissions to the repository
 func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (Permission, error) {
 	var perm Permission