From 833def96cf742baedb2014a3d622a0540a9f222e Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Tue, 19 Nov 2024 17:34:06 +0800
Subject: [PATCH 1/6] actions from private repos

---
 models/repo/repo_unit.go                     |  3 ++-
 options/locale/locale_en-US.ini              |  5 +++++
 routers/web/repo/githttp.go                  | 12 ++++++++--
 routers/web/repo/setting/actions.go          | 23 ++++++++++++++++++++
 routers/web/web.go                           |  1 +
 templates/repo/settings/actions.tmpl         |  2 ++
 templates/repo/settings/actions_general.tmpl | 16 ++++++++++++++
 templates/repo/settings/navbar.tmpl          |  5 ++++-
 8 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 routers/web/repo/setting/actions.go
 create mode 100644 templates/repo/settings/actions_general.tmpl

diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
index cb52c2c9e2058..73884f5fb0b21 100644
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -169,7 +169,8 @@ func (cfg *PullRequestsConfig) GetDefaultMergeStyle() MergeStyle {
 }
 
 type ActionsConfig struct {
-	DisabledWorkflows []string
+	DisabledWorkflows       []string
+	AccessbleFromOtherRepos bool
 }
 
 func (cfg *ActionsConfig) EnableWorkflow(file string) {
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index c3639fb72e2f3..7e0d280ec102f 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3751,6 +3751,11 @@ variables.creation.success = The variable "%s" has been added.
 variables.update.failed = Failed to edit variable.
 variables.update.success = The variable has been edited.
 
+general = General
+general.settings = Actions General Settings
+general.actions_accessible_from_other_repositories = Accessible from repositories owned by '%s'
+general.actions_accessible_from_other_repositories_desc = Workflows in other repositories that are owned by the user '%s' can access the actions and reusable workflows in this repository. Access is allowed only from private repositories.
+
 [projects]
 deleted.display_name = Deleted Project
 type-1.display_name = Individual Project
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 58a2bdbab1c34..2af559817a326 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -195,8 +195,16 @@ func httpBase(ctx *context.Context) *serviceHandler {
 					return nil
 				}
 				if task.RepoID != repo.ID {
-					ctx.PlainText(http.StatusForbidden, "User permission denied")
-					return nil
+					taskRepo, err := repo_model.GetRepositoryByID(ctx, task.RepoID)
+					if err != nil {
+						ctx.ServerError("GetRepositoryByID", err)
+						return nil
+					}
+					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+					if !taskRepo.IsPrivate || taskRepo.OwnerID != repo.OwnerID || !actionsCfg.AccessbleFromOtherRepos {
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return nil
+					}
 				}
 
 				if task.IsForkPullRequest {
diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
new file mode 100644
index 0000000000000..2689a0825ba88
--- /dev/null
+++ b/routers/web/repo/setting/actions.go
@@ -0,0 +1,23 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/services/context"
+)
+
+const (
+	tplRepoActionsGeneral base.TplName = "repo/settings/actions"
+)
+
+func ActionsGeneral(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.general")
+	ctx.Data["PageType"] = "general"
+	ctx.Data["PageIsActionsSettingsGeneral"] = true
+
+	ctx.HTML(http.StatusOK, tplRepoActionsGeneral)
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index 137c67730652d..e266bdd884018 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1133,6 +1133,7 @@ func registerRoutes(m *web.Router) {
 			addSettingsRunnersRoutes()
 			addSettingsSecretsRoutes()
 			addSettingsVariablesRoutes()
+			m.Get("/general", repo_setting.ActionsGeneral)
 		}, actions.MustEnableActions)
 		// the follow handler must be under "settings", otherwise this incomplete repo can't be accessed
 		m.Group("/migrate", func() {
diff --git a/templates/repo/settings/actions.tmpl b/templates/repo/settings/actions.tmpl
index f38ab5b658412..5388de35af35e 100644
--- a/templates/repo/settings/actions.tmpl
+++ b/templates/repo/settings/actions.tmpl
@@ -6,6 +6,8 @@
 			{{template "shared/secrets/add_list" .}}
 		{{else if eq .PageType "variables"}}
 			{{template "shared/variables/variable_list" .}}
+		{{else if eq .PageType "general"}}
+			{{template "repo/settings/actions_general" .}}
 		{{end}}
 	</div>
 {{template "repo/settings/layout_footer" .}}
diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
new file mode 100644
index 0000000000000..65d3917e8cd05
--- /dev/null
+++ b/templates/repo/settings/actions_general.tmpl
@@ -0,0 +1,16 @@
+<div class="repo-setting-content">
+  <h4 class="ui top attached header">
+    {{ctx.Locale.Tr "actions.general.settings"}}
+  </h4>
+  <div class="ui attached segment">
+    <form class="ui form" method="post">
+      <div id="actions_accessible_from_other_repositories_box" class="field">
+        <div class="ui checkbox">
+          <input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox">
+          <label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
+          <p class="help">{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}</p>
+        </div>
+      </div>
+    </form>
+  </div>
+</div>
diff --git a/templates/repo/settings/navbar.tmpl b/templates/repo/settings/navbar.tmpl
index 3e127ccbb3517..e33893bee7959 100644
--- a/templates/repo/settings/navbar.tmpl
+++ b/templates/repo/settings/navbar.tmpl
@@ -34,7 +34,7 @@
 			{{end}}
 		{{end}}
 		{{if and .EnableActions (.Permission.CanRead ctx.Consts.RepoUnitTypeActions)}}
-		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
+		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables .PageIsActionsSettingsGeneral}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
 			<div class="menu">
 				<a class="{{if .PageIsSharedSettingsRunners}}active {{end}}item" href="{{.RepoLink}}/settings/actions/runners">
@@ -46,6 +46,9 @@
 				<a class="{{if .PageIsSharedSettingsVariables}}active {{end}}item" href="{{.RepoLink}}/settings/actions/variables">
 					{{ctx.Locale.Tr "actions.variables"}}
 				</a>
+				<a class="{{if .PageIsActionsSettingsGeneral}}active {{end}}item" href="{{.RepoLink}}/settings/actions/general">
+					{{ctx.Locale.Tr "actions.general"}}
+				</a>
 			</div>
 		</details>
 		{{end}}

From f73073df4142b4235167652b8e1f433f2f14ebcd Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 20 Nov 2024 13:03:23 +0800
Subject: [PATCH 2/6] add ActionsGeneralSettingsPost

---
 routers/web/repo/setting/actions.go          | 34 ++++++++++++++++++--
 routers/web/web.go                           |  4 ++-
 templates/repo/settings/actions_general.tmpl |  9 ++++--
 3 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
index 2689a0825ba88..778078115c9a3 100644
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@@ -6,18 +6,46 @@ package setting
 import (
 	"net/http"
 
+	repo_model "code.gitea.io/gitea/models/repo"
+	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/services/context"
 )
 
 const (
-	tplRepoActionsGeneral base.TplName = "repo/settings/actions"
+	tplRepoActionsGeneralSettings base.TplName = "repo/settings/actions"
 )
 
-func ActionsGeneral(ctx *context.Context) {
+func ActionsGeneralSettings(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("actions.general")
 	ctx.Data["PageType"] = "general"
 	ctx.Data["PageIsActionsSettingsGeneral"] = true
 
-	ctx.HTML(http.StatusOK, tplRepoActionsGeneral)
+	actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
+	if err != nil {
+		ctx.ServerError("GetUnit", err)
+		return
+	}
+	actionsCfg := actionsUnit.ActionsConfig()
+
+	ctx.Data["AccessibleFromOtherRepos"] = actionsCfg.AccessbleFromOtherRepos
+
+	ctx.HTML(http.StatusOK, tplRepoActionsGeneralSettings)
+}
+
+func ActionsGeneralSettingsPost(ctx *context.Context) {
+	actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
+	if err != nil {
+		ctx.ServerError("GetUnit", err)
+		return
+	}
+	actionsCfg := actionsUnit.ActionsConfig()
+	actionsCfg.AccessbleFromOtherRepos = ctx.FormBool("actions_accessible_from_other_repositories")
+
+	if err := repo_model.UpdateRepoUnit(ctx, actionsUnit); err != nil {
+		ctx.ServerError("UpdateRepoUnit", err)
+		return
+	}
+
+	ctx.Redirect(ctx.Repo.RepoLink + "/settings/actions/general")
 }
diff --git a/routers/web/web.go b/routers/web/web.go
index e266bdd884018..8cd4455899d7a 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1133,7 +1133,9 @@ func registerRoutes(m *web.Router) {
 			addSettingsRunnersRoutes()
 			addSettingsSecretsRoutes()
 			addSettingsVariablesRoutes()
-			m.Get("/general", repo_setting.ActionsGeneral)
+			m.Combo("/general").
+				Get(repo_setting.ActionsGeneralSettings).
+				Post(repo_setting.ActionsGeneralSettingsPost)
 		}, actions.MustEnableActions)
 		// the follow handler must be under "settings", otherwise this incomplete repo can't be accessed
 		m.Group("/migrate", func() {
diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
index 65d3917e8cd05..9ec9dccc36cdd 100644
--- a/templates/repo/settings/actions_general.tmpl
+++ b/templates/repo/settings/actions_general.tmpl
@@ -3,14 +3,19 @@
     {{ctx.Locale.Tr "actions.general.settings"}}
   </h4>
   <div class="ui attached segment">
-    <form class="ui form" method="post">
+    <form class="ui form" action="{{.Link}}" method="post">
+      {{.CsrfTokenHtml}}
       <div id="actions_accessible_from_other_repositories_box" class="field">
         <div class="ui checkbox">
-          <input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox">
+          <input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox" {{if .AccessibleFromOtherRepos}}checked{{end}}>
           <label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
           <p class="help">{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}</p>
         </div>
       </div>
+      <div class="divider"></div>
+      <div class="field">
+        <button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+      </div>
     </form>
   </div>
 </div>

From 73b00ea10e03ce9b41971cb4460bba490e0416fc Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 20 Nov 2024 14:15:08 +0800
Subject: [PATCH 3/6] misc

---
 routers/web/repo/githttp.go         | 8 ++++++--
 routers/web/repo/setting/actions.go | 4 +---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 2af559817a326..d7e036067527c 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -195,13 +195,17 @@ func httpBase(ctx *context.Context) *serviceHandler {
 					return nil
 				}
 				if task.RepoID != repo.ID {
+					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
 					taskRepo, err := repo_model.GetRepositoryByID(ctx, task.RepoID)
 					if err != nil {
 						ctx.ServerError("GetRepositoryByID", err)
 						return nil
 					}
-					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
-					if !taskRepo.IsPrivate || taskRepo.OwnerID != repo.OwnerID || !actionsCfg.AccessbleFromOtherRepos {
+					if !actionsCfg.AccessbleFromOtherRepos || taskRepo.OwnerID != repo.OwnerID || !taskRepo.IsPrivate {
+						// See https://docs.github.com/en/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository
+						// Any actions or reusable workflows stored in the private repository can be used in
+						// workflows defined in other private repositories owned by the same organization or user.
+						// Actions and reusable workflows stored in private repositories cannot be used in public repositories.
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return nil
 					}
diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
index 778078115c9a3..2dea6c0f7c9e7 100644
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@@ -12,9 +12,7 @@ import (
 	"code.gitea.io/gitea/services/context"
 )
 
-const (
-	tplRepoActionsGeneralSettings base.TplName = "repo/settings/actions"
-)
+const tplRepoActionsGeneralSettings base.TplName = "repo/settings/actions"
 
 func ActionsGeneralSettings(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("actions.general")

From 8fcf1b68be1479a18c464c68d587b476bca57ea6 Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Wed, 20 Nov 2024 16:01:54 +0800
Subject: [PATCH 4/6] lint

---
 templates/repo/settings/actions_general.tmpl | 38 ++++++++++----------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
index 9ec9dccc36cdd..3ff0887132236 100644
--- a/templates/repo/settings/actions_general.tmpl
+++ b/templates/repo/settings/actions_general.tmpl
@@ -1,21 +1,21 @@
 <div class="repo-setting-content">
-  <h4 class="ui top attached header">
-    {{ctx.Locale.Tr "actions.general.settings"}}
-  </h4>
-  <div class="ui attached segment">
-    <form class="ui form" action="{{.Link}}" method="post">
-      {{.CsrfTokenHtml}}
-      <div id="actions_accessible_from_other_repositories_box" class="field">
-        <div class="ui checkbox">
-          <input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox" {{if .AccessibleFromOtherRepos}}checked{{end}}>
-          <label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
-          <p class="help">{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}</p>
-        </div>
-      </div>
-      <div class="divider"></div>
-      <div class="field">
-        <button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
-      </div>
-    </form>
-  </div>
+	<h4 class="ui top attached header">
+		{{ctx.Locale.Tr "actions.general.settings"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" action="{{.Link}}" method="post">
+			{{.CsrfTokenHtml}}
+			<div id="actions_accessible_from_other_repositories_box" class="field">
+				<div class="ui checkbox">
+					<input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox" {{if .AccessibleFromOtherRepos}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
+					<p class="help">{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}</p>
+				</div>
+			</div>
+			<div class="divider"></div>
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+			</div>
+		</form>
+	</div>
 </div>

From bc71cc4fc0fa7137d17518ff09d40ef9ca89e95d Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Fri, 22 Nov 2024 16:03:54 +0800
Subject: [PATCH 5/6] improvements for public repos

---
 options/locale/locale_en-US.ini              |  1 +
 routers/web/repo/setting/actions.go          | 18 +++++++++++-------
 templates/repo/settings/actions_general.tmpl | 10 ++++++++--
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 5fb9a8d53a0e4..82ac38ea00d95 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3758,6 +3758,7 @@ general = General
 general.settings = Actions General Settings
 general.actions_accessible_from_other_repositories = Accessible from repositories owned by '%s'
 general.actions_accessible_from_other_repositories_desc = Workflows in other repositories that are owned by the user '%s' can access the actions and reusable workflows in this repository. Access is allowed only from private repositories.
+general.actions_always_accessible_desc = The actions and workflows of a public repository are always accessible to other repositories.
 
 [projects]
 deleted.display_name = Deleted Project
diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
index 2dea6c0f7c9e7..b8afbbc314f04 100644
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@@ -19,14 +19,18 @@ func ActionsGeneralSettings(ctx *context.Context) {
 	ctx.Data["PageType"] = "general"
 	ctx.Data["PageIsActionsSettingsGeneral"] = true
 
-	actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
-	if err != nil {
-		ctx.ServerError("GetUnit", err)
-		return
+	accessbleFromOtherRepos := false
+	if !ctx.Repo.Repository.IsPrivate {
+		accessbleFromOtherRepos = true
+	} else {
+		actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
+		if err != nil {
+			ctx.ServerError("GetUnit", err)
+			return
+		}
+		accessbleFromOtherRepos = actionsUnit.ActionsConfig().AccessbleFromOtherRepos
 	}
-	actionsCfg := actionsUnit.ActionsConfig()
-
-	ctx.Data["AccessibleFromOtherRepos"] = actionsCfg.AccessbleFromOtherRepos
+	ctx.Data["AccessibleFromOtherRepos"] = accessbleFromOtherRepos
 
 	ctx.HTML(http.StatusOK, tplRepoActionsGeneralSettings)
 }
diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
index 3ff0887132236..071d386b31985 100644
--- a/templates/repo/settings/actions_general.tmpl
+++ b/templates/repo/settings/actions_general.tmpl
@@ -7,9 +7,15 @@
 			{{.CsrfTokenHtml}}
 			<div id="actions_accessible_from_other_repositories_box" class="field">
 				<div class="ui checkbox">
-					<input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox" {{if .AccessibleFromOtherRepos}}checked{{end}}>
+					<input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox" {{if not .Repository.IsPrivate}}disabled{{end}} {{if .AccessibleFromOtherRepos}}checked{{end}}>
 					<label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
-					<p class="help">{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}</p>
+					<p class="help">
+					{{if .Repository.IsPrivate}}
+						{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}
+					{{else}}
+						{{ctx.Locale.Tr "actions.general.actions_always_accessible_desc"}}
+					{{end}}
+					</p>
 				</div>
 			</div>
 			<div class="divider"></div>

From 9ae509373f17e40701e85b23731d20aec373524f Mon Sep 17 00:00:00 2001
From: Zettat123 <zettat123@gmail.com>
Date: Fri, 22 Nov 2024 16:32:25 +0800
Subject: [PATCH 6/6] lint

---
 routers/web/repo/setting/actions.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
index b8afbbc314f04..a1bfe46b99a2b 100644
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@@ -19,7 +19,7 @@ func ActionsGeneralSettings(ctx *context.Context) {
 	ctx.Data["PageType"] = "general"
 	ctx.Data["PageIsActionsSettingsGeneral"] = true
 
-	accessbleFromOtherRepos := false
+	var accessbleFromOtherRepos bool
 	if !ctx.Repo.Repository.IsPrivate {
 		accessbleFromOtherRepos = true
 	} else {