feat: Add configurable permissions for Actions automatic tokens

[Excellencedev]

Summary

Implements Issue #24635 - Support configuring permissions of automatic tokens for Actions jobs.

This PR adds the ability to configure the default permissions granted to the GITHUB_TOKEN when running workflow jobs in a repository. Users can now choose between:

• Permissive mode (default): Workflows have read and write permissions for all scopes (backwards compatible with existing behavior)
• Restricted mode: Workflows have read-only permissions by default

Changes

Backend

• Extended ActionsConfig struct in models/repo/repo_unit.go with:

  • ActionsTokenPermissionMode type (permissive/restricted)
  • ActionsTokenPermissions struct for per-unit permissions (Contents, Issues, PullRequests, Packages, Actions, Wiki)
  • Helper methods for getting effective permissions and clamping

• Modified GetActionsUserRepoPermission in models/perm/access/repo_permission.go to use configurable per-unit permissions instead of hardcoded access modes

• Added UpdateTokenPermissions handler in routers/web/repo/setting/actions.go

Frontend

• Added Token Permissions UI section in repository Settings → Actions → General
• Added locale strings in options/locale/locale_en-US.ini

Tests

• Added unit tests in models/repo/repo_unit_test.go for token permission methods
• Added integration test TestActionsTokenPermissionsModes in tests/integration/actions_job_token_test.go

Screenshots

The new Token Permissions section appears in Settings → Actions → General:

• Radio buttons for Permissive/Restricted mode
• Warning note about fork PRs always being read-only

Notes

• Fork pull requests always receive read-only access regardless of settings (security feature)
• Default behavior is "permissive" for backwards compatibility
• No database migration required - settings stored as JSON in existing repo_unit config

Related Issues

Closes #24635
/claim #24635

[Excellencedev]

@lunny @wxiaoguang Please review this

[wxiaoguang]

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

[Excellencedev]

Thank you for asking me to review, but I don't use Actions. You can invite the maintainers from the original issue to review.

@silverwind Please review

[silverwind]

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

[Excellencedev]

I review mostly frontend stuff and am not much of an actions user myself, so please be patient until someone finds time to review it properly.

No problem

[Zettat123]

EffectiveTokenPermissions and MaxTokenPermissions are not being used on the frontend page. Should they be removed?

[Zettat123]

When permissionMode is not "permissive" or "restricted", it's better to return 400 Bad Request

[Zettat123]

mode and expectReadOnly params are unused, is this as expected?

[wxiaoguang]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

[Zettat123]

By the way, I see another (older) PR: Feat/actions token permissions #36113 , it added more than 2000 lines of code.

What are the differences? Which PR would win ....... @Zettat123

This PR doesn't fully implement the proposal in #24635. (For example, it doesn't support configuring actions access between repositories in the same organization)

It seems that #36113 implemented these features, but I think its code needs improvement.