mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-11 04:23:04 -05:00
[Proposal] Support configuring permissions of automatic tokens of Actions jobs #10823
Open
opened 2025-11-02 09:19:10 -06:00 by GiteaMirror
·
16 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#10823
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @wolfogre on GitHub (May 10, 2023).
Background
When a Gitea Actions job has been picked by a runner, a automatically generated token will be given to the runner at the same time. This is a short-lived token that immediately becomes invalid when the job is completed.
The token can be used to access the repository to which it belongs, such as cloning code via
actions/checkout. You can use it withgitea.token,secrets.GITEA_TOKEN, orgithub.token,secrets.GITHUB_TOKENto ensure compatibility.However, the permissions of this token are not really clear to everyone. IIRC, currently it can:
Sometimes it’s not convenient, for example, you cannot use this token to write packages, so it’s annoying when releasing.
Some PRs try to add more permissions to this token, but I’m cautious about this, see:
My reason is that, in the absence of a means to configure permissions for automatic tokens, we need to be cautious about granting more permissions by default, even if it may cause some inconvenience, as it could bring about security risks. I would say it's "inconvenient", not "impossible", because you can always provide an access token or deploy key as a secret to do anything you want, just like using an external CI/CD system.
However, Gitea Actions isn't an external CI/CD system, so it could do better. The first thing that should be done is supporting the configuration of permissions for automatic tokens. It's not a simple thing, but the good news is that we can refer to GitHub.
How does a GitHub do
On GitHub, you can choose between permissive mode or restricted mode on the settings page of a repository or organization.
The two modes have different default permissions, see Automatic token authentication. This is a coarse-grained setting. Sometimes it's not enough.
So you can specify permissions for specific workflows or jobs in the workflow files. See:
permissionsjobs.<job_id>.permissionsHowever, you can overwrite the default permissions of the mode in workflow files by this, instead of being limited by them. That means even if the repository is in restricted mode, it is still possible to obtain higher permission in its workflow files. In my opinion, Gitea is not suitable for this design, because Gitea doesn't support code owners yet, that means as long as someone has permission to write code, they can access anything via Actions by obtaining higher permission in workflow files.
Unfortunately, I noticed that the permission control only applies to accessing the same repository, not to accessing other repositories in the same organization. Therefore, the token cannot access other private repositories within the same organization. See Cloning private github repository within organisation in actions - Stackoverflow.
I think Gitea needs to do more to support it.
Solution
Here is my proposal, which draws heavily from GitHub but has been adjusted for Gitea.
Support configuring the permissions
Support configuring the maximum access on the settings page of a repository or organization Something like (this is a fake sketch, I haven't done anything yet):
You can still specify permissions for specific workflows or jobs in the workflow files. However, you cannot obtain higher permissions than the configuration on setting page. You may have noticed that the units in Gitea are not exactly the same as the scopes in GitHub, so some adjustments are needed.
If the job is triggered by a pull request from a forked repository, the maximum access will always be lower than read.
Support configuring access between repositories
On the settings page of an organization, users can configure which repositories can be accessed by Actions from other repositories within the same organization.
Private packages can be accessed by Actions only when they have been linked to repositories
As packages belong to the organization level, it is difficult to determine what to do when repository X tries to write package Y. So let's make things simpler, repository X can write package Y only if:
An access token or deploy key as a secret is recommended for more complex situations
Such as:
@silverwind commented on GitHub (May 10, 2023):
Hmm, having it in-action sure would be convenient because then this permission config would be easily ported to new repos and possibly GH actions without fiddling with the UI. Why exactly do you think such config is unsuitable?
BTW, on GH actions it's possible to obtain write access to the repo by using a write-level deploy key while checking out. I think this method was mostly superceded by the
permissionsoption now, but we should be aware that this "escape hatch" exists.@wolfogre commented on GitHub (May 11, 2023):
I'm sorry I didn't make myself clear, please check the latest version of the description.
Yes, and you can do that on Gitea Actions too.
I agree with you, just like I said, "An access token or deploy key as a secret is recommended for more complex situations".
@Renari commented on GitHub (Nov 16, 2023):
I encountered this today and thought this token feature didn't even exist because it was unable to push releases, my work around atm is to create an application token and to reassign
GITEA_TOKENto the application token:e.g.
This is less than ideal though since it binds the repo permissions to that user account, for my use case a single developer on this project this is fine, but less than ideal since in a team scenario it's binding functionality to an individual user account.
@Frankkkkk commented on GitHub (Dec 21, 2024):
If someone is interested in implementing this feature (also explained here), I will gladly pay them 200€ or gift it to a charity of their choice.
@lunny commented on GitHub (Dec 21, 2024):
This issue suggests there is a
permissionin the workflow YAML files which is different from your proposal. Which one do you prefer?In fact, I think this issue are blocked by some other tasks. One of them is the workflow YAML parser should be replaced by actionslint. The one we are using from act_runner doesn't work well for some syntaxes including
permissions.BTW: We support bounty via https://console.algora.io/org/go-gitea/bounties but we can't guarantee the pull request from bounty hunter will be accepted.
@Frankkkkk commented on GitHub (Dec 21, 2024):
Unless I'm mistaken, the
permissionway is the current Github one, but @wolfogre 's suggestion is a bit different (GUI based), and quite good (way better than mine) TBH.Thanks for the algora tip; I'll try it out tomorrow :)
@algora-pbc[bot] commented on GitHub (Dec 21, 2024):
💎 $200 bounty • Frank Villaro-Dixon
💎 $20 bounty • jibeddari
Steps to solve:
/attempt #24635with your implementation plan/claim #24635in the PR body to claim the bountyThank you for contributing to go-gitea/gitea!
Add a bounty • Share on socials
@Mayank77maruti commented on GitHub (Feb 14, 2025):
/attempt #24635
JavaScript & more
@lolen commented on GitHub (Apr 3, 2025):
@Mayank77maruti any updates on the task?
@Renari commented on GitHub (Apr 3, 2025):
@lolen I'm not sure they're actually working on this, since they have put in an attempt on every bounty on this repo.
@lunny commented on GitHub (Apr 3, 2025):
https://gitea.com/gitea/act/pulls/133 is merged
@jayantpranjal0 commented on GitHub (Jul 2, 2025):
@lunny is this issue supposed to be closed from the PR. I see bounties for this issue, would like to work on this if has not already been solved
@lunny commented on GitHub (Jul 2, 2025):
I think https://gitea.com/gitea/act/pulls/133 just a necessary step to resolve this issue. Pull request is welcome. This is not an easy issue. You can have more discussion here.
@algora-pbc[bot] commented on GitHub (Aug 29, 2025):
💎 $200 bounty • Michael Aldridge
💎 $20 bounty • jibeddari
💎 $200 bounty • Frank
Steps to solve:
/attempt #24635with your implementation plan/claim #24635in the PR body to claim the bounty❗ Important guidelines:
Thank you for contributing to go-gitea/gitea!
@algora-pbc[bot] commented on GitHub (Oct 1, 2025):
💎 $20 bounty • Markus Fenes
💎 $200 bounty • Michael Aldridge
💎 $20 bounty • jibeddari
💎 $200 bounty • Frank
Steps to solve:
/attempt #24635with your implementation plan/claim #24635in the PR body to claim the bounty❗ Important guidelines:
Thank you for contributing to go-gitea/gitea!
@ChristopherHX commented on GitHub (Oct 20, 2025):
Proof of Concept job level permission key: https://github.com/ChristopherHX/gitea/tree/workflow-permissions
Missing
Just for reference to continue later.