go-gitea · Zettat123 · Nov 19, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
@@ -169,7 +169,8 @@ func (cfg *PullRequestsConfig) GetDefaultMergeStyle() MergeStyle {
 }
 
 type ActionsConfig struct {
-	DisabledWorkflows []string
+	DisabledWorkflows       []string
+	AccessbleFromOtherRepos bool
 }
 
 func (cfg *ActionsConfig) EnableWorkflow(file string) {

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -3754,6 +3754,12 @@ variables.creation.success = The variable "%s" has been added.
 variables.update.failed = Failed to edit variable.
 variables.update.success = The variable has been edited.
 
+general = General
+general.settings = Actions General Settings
+general.actions_accessible_from_other_repositories = Accessible from repositories owned by '%s'
+general.actions_accessible_from_other_repositories_desc = Workflows in other repositories that are owned by the user '%s' can access the actions and reusable workflows in this repository. Access is allowed only from private repositories.
+general.actions_always_accessible_desc = The actions and workflows of a public repository are always accessible to other repositories.
+
 [projects]
 deleted.display_name = Deleted Project
 type-1.display_name = Individual Project

diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
@@ -195,8 +195,20 @@ func httpBase(ctx *context.Context) *serviceHandler {
 					return nil
 				}
 				if task.RepoID != repo.ID {
-					ctx.PlainText(http.StatusForbidden, "User permission denied")
-					return nil
+					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+					taskRepo, err := repo_model.GetRepositoryByID(ctx, task.RepoID)
+					if err != nil {
+						ctx.ServerError("GetRepositoryByID", err)
+						return nil
+					}
+					if !actionsCfg.AccessbleFromOtherRepos || taskRepo.OwnerID != repo.OwnerID || !taskRepo.IsPrivate {
+						// See https://docs.github.com/en/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository
+						// Any actions or reusable workflows stored in the private repository can be used in
+						// workflows defined in other private repositories owned by the same organization or user.
+						// Actions and reusable workflows stored in private repositories cannot be used in public repositories.
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return nil
+					}
 				}
 
 				if task.IsForkPullRequest {

diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
@@ -0,0 +1,53 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/http"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	unit_model "code.gitea.io/gitea/models/unit"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/services/context"
+)
+
+const tplRepoActionsGeneralSettings base.TplName = "repo/settings/actions"
+
+func ActionsGeneralSettings(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.general")
+	ctx.Data["PageType"] = "general"
+	ctx.Data["PageIsActionsSettingsGeneral"] = true
+
+	var accessbleFromOtherRepos bool
+	if !ctx.Repo.Repository.IsPrivate {
+		accessbleFromOtherRepos = true
+	} else {
+		actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
+		if err != nil {
+			ctx.ServerError("GetUnit", err)
+			return
+		}
+		accessbleFromOtherRepos = actionsUnit.ActionsConfig().AccessbleFromOtherRepos
+	}
+	ctx.Data["AccessibleFromOtherRepos"] = accessbleFromOtherRepos
+
+	ctx.HTML(http.StatusOK, tplRepoActionsGeneralSettings)
+}
+
+func ActionsGeneralSettingsPost(ctx *context.Context) {
+	actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
+	if err != nil {
+		ctx.ServerError("GetUnit", err)
+		return
+	}
+	actionsCfg := actionsUnit.ActionsConfig()
+	actionsCfg.AccessbleFromOtherRepos = ctx.FormBool("actions_accessible_from_other_repositories")
+
+	if err := repo_model.UpdateRepoUnit(ctx, actionsUnit); err != nil {
+		ctx.ServerError("UpdateRepoUnit", err)
+		return
+	}
+
+	ctx.Redirect(ctx.Repo.RepoLink + "/settings/actions/general")
+}
diff --git a/routers/web/web.go b/routers/web/web.go
@@ -1133,6 +1133,9 @@ func registerRoutes(m *web.Router) {
 			addSettingsRunnersRoutes()
 			addSettingsSecretsRoutes()
 			addSettingsVariablesRoutes()
+			m.Combo("/general").
+				Get(repo_setting.ActionsGeneralSettings).
+				Post(repo_setting.ActionsGeneralSettingsPost)
 		}, actions.MustEnableActions)
 		// the follow handler must be under "settings", otherwise this incomplete repo can't be accessed
 		m.Group("/migrate", func() {

diff --git a/templates/repo/settings/actions.tmpl b/templates/repo/settings/actions.tmpl
@@ -6,6 +6,8 @@
 			{{template "shared/secrets/add_list" .}}
 		{{else if eq .PageType "variables"}}
 			{{template "shared/variables/variable_list" .}}
+		{{else if eq .PageType "general"}}
+			{{template "repo/settings/actions_general" .}}
 		{{end}}
 	</div>
 {{template "repo/settings/layout_footer" .}}
diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
@@ -0,0 +1,27 @@
+<div class="repo-setting-content">
+	<h4 class="ui top attached header">
+		{{ctx.Locale.Tr "actions.general.settings"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" action="{{.Link}}" method="post">
+			{{.CsrfTokenHtml}}
+			<div id="actions_accessible_from_other_repositories_box" class="field">
+				<div class="ui checkbox">
+					<input id="actions_accessible_from_other_repositories" name="actions_accessible_from_other_repositories" type="checkbox" {{if not .Repository.IsPrivate}}disabled{{end}} {{if .AccessibleFromOtherRepos}}checked{{end}}>
+					<label>{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories" .Owner.Name}}</label>
+					<p class="help">
+					{{if .Repository.IsPrivate}}
+						{{ctx.Locale.Tr "actions.general.actions_accessible_from_other_repositories_desc" .Owner.Name}}
+					{{else}}
+						{{ctx.Locale.Tr "actions.general.actions_always_accessible_desc"}}
+					{{end}}
+					</p>
+				</div>
+			</div>
+			<div class="divider"></div>
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+			</div>
+		</form>
+	</div>
+</div>
diff --git a/templates/repo/settings/navbar.tmpl b/templates/repo/settings/navbar.tmpl
@@ -34,7 +34,7 @@
 			{{end}}
 		{{end}}
 		{{if and .EnableActions (.Permission.CanRead ctx.Consts.RepoUnitTypeActions)}}
-		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
+		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables .PageIsActionsSettingsGeneral}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
 			<div class="menu">
 				<a class="{{if .PageIsSharedSettingsRunners}}active {{end}}item" href="{{.RepoLink}}/settings/actions/runners">
@@ -46,6 +46,9 @@
 				<a class="{{if .PageIsSharedSettingsVariables}}active {{end}}item" href="{{.RepoLink}}/settings/actions/variables">
 					{{ctx.Locale.Tr "actions.variables"}}
 				</a>
+				<a class="{{if .PageIsActionsSettingsGeneral}}active {{end}}item" href="{{.RepoLink}}/settings/actions/general">
+					{{ctx.Locale.Tr "actions.general"}}
+				</a>
 			</div>
 		</details>
 		{{end}}