diff --git a/models/actions/config.go b/models/actions/config.go
new file mode 100644
index 0000000000000..7bd64b74d4ccc
--- /dev/null
+++ b/models/actions/config.go
@@ -0,0 +1,43 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
+)
+
+// GetOrgActionsConfig loads the ActionsConfig for an organization from user settings
+// It returns a default config if no setting is found
+func GetOrgActionsConfig(ctx context.Context, orgID int64) (*repo_model.ActionsConfig, error) {
+	val, err := user_model.GetUserSetting(ctx, orgID, "actions.config")
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &repo_model.ActionsConfig{}
+	if val == "" {
+		// Return defaults if no config exists
+		return cfg, nil
+	}
+
+	if err := json.Unmarshal([]byte(val), cfg); err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
+}
+
+// SetOrgActionsConfig saves the ActionsConfig for an organization to user settings
+func SetOrgActionsConfig(ctx context.Context, orgID int64, cfg *repo_model.ActionsConfig) error {
+	bs, err := json.Marshal(cfg)
+	if err != nil {
+		return err
+	}
+
+	return user_model.SetUserSetting(ctx, orgID, "actions.config", string(bs))
+}
diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go
index 3235d83203cf2..b21f716e8ee44 100644
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@@ -95,7 +95,7 @@ func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {
 	if m, ok := p.unitsMode[unitType]; ok {
 		return util.Iif(p.AccessMode >= perm_model.AccessModeAdmin, p.AccessMode, m)
 	}
-	// if the units map does not contain the access mode, return the default access mode if the unit exists
+	// If the units map does not contain the access mode, return the default access mode if the unit exists
 	unitDefaultAccessMode := p.AccessMode
 	unitDefaultAccessMode = max(unitDefaultAccessMode, p.anonymousAccessMode[unitType])
 	unitDefaultAccessMode = max(unitDefaultAccessMode, p.everyoneAccessMode[unitType])
@@ -104,6 +104,7 @@ func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {
 }
 
 func (p *Permission) SetUnitsWithDefaultAccessMode(units []*repo_model.RepoUnit, mode perm_model.AccessMode) {
+	p.AccessMode = mode
 	p.units = units
 	p.unitsMode = make(map[unit.Type]perm_model.AccessMode)
 	for _, u := range p.units {
@@ -268,14 +269,45 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
 		return perm, err
 	}
 
-	var accessMode perm_model.AccessMode
+	if err := repo.LoadUnits(ctx); err != nil {
+		return perm, err
+	}
+
+	actionsUnit, err := repo.GetUnit(ctx, unit.TypeActions)
+	if err != nil {
+		// If Actions unit doesn't exist, return empty permission
+		if repo_model.IsErrUnitTypeNotExist(err) {
+			return perm, nil
+		}
+		return perm, err
+	}
+	actionsCfg := actionsUnit.ActionsConfig()
+
 	if task.RepoID != repo.ID {
 		taskRepo, exist, err := db.GetByID[repo_model.Repository](ctx, task.RepoID)
 		if err != nil || !exist {
 			return perm, err
 		}
-		actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
-		if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate {
+
+		// Check Organization Cross-Repo Access Policy
+		if err := repo.LoadOwner(ctx); err != nil {
+			return perm, err
+		}
+
+		isSameOrg := false
+		if repo.OwnerID == taskRepo.OwnerID && repo.Owner.IsOrganization() {
+			isSameOrg = true
+			orgCfg, err := actions_model.GetOrgActionsConfig(ctx, repo.OwnerID)
+			if err != nil {
+				return perm, err
+			}
+			if !orgCfg.AllowCrossRepoAccess {
+				// Deny access if cross-repo is disabled in Org
+				return perm, nil
+			}
+		}
+
+		if (!isSameOrg && !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID)) || !taskRepo.IsPrivate {
 			// The task repo can access the current repo only if the task repo is private and
 			// the owner of the task repo is a collaborative owner of the current repo.
 			// FIXME should owner's visibility also be considered here?
@@ -288,17 +320,34 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
 			perm.AccessMode = min(perm.AccessMode, perm_model.AccessModeRead)
 			return perm, nil
 		}
-		accessMode = perm_model.AccessModeRead
-	} else if task.IsForkPullRequest {
-		accessMode = perm_model.AccessModeRead
-	} else {
-		accessMode = perm_model.AccessModeWrite
+		// Cross-repo access is always read-only
+		perm.SetUnitsWithDefaultAccessMode(repo.Units, perm_model.AccessModeRead)
+		return perm, nil
 	}
 
-	if err := repo.LoadUnits(ctx); err != nil {
-		return perm, err
+	// Get effective token permissions from repository settings
+	effectivePerms := actionsCfg.GetEffectiveTokenPermissions(task.IsForkPullRequest)
+	effectivePerms = actionsCfg.ClampPermissions(effectivePerms)
+
+	// Set up per-unit access modes based on configured permissions
+	perm.units = repo.Units
+	perm.unitsMode = make(map[unit.Type]perm_model.AccessMode)
+	perm.unitsMode[unit.TypeCode] = effectivePerms.Contents
+	perm.unitsMode[unit.TypeIssues] = effectivePerms.Issues
+	perm.unitsMode[unit.TypePullRequests] = effectivePerms.PullRequests
+	perm.unitsMode[unit.TypePackages] = effectivePerms.Packages
+	perm.unitsMode[unit.TypeActions] = effectivePerms.Actions
+	perm.unitsMode[unit.TypeWiki] = effectivePerms.Wiki
+
+	// Set base access mode to the maximum of all unit permissions
+	maxMode := perm_model.AccessModeNone
+	for _, mode := range perm.unitsMode {
+		if mode > maxMode {
+			maxMode = mode
+		}
 	}
-	perm.SetUnitsWithDefaultAccessMode(repo.Units, accessMode)
+	perm.AccessMode = maxMode
+
 	return perm, nil
 }
 
diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
index ad0bb9d3f82ec..e84a52439c5b0 100644
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -168,11 +168,112 @@ func (cfg *PullRequestsConfig) GetDefaultMergeStyle() MergeStyle {
 	return MergeStyleMerge
 }
 
+// ActionsTokenPermissionMode defines the default permission mode for Actions tokens
+type ActionsTokenPermissionMode string
+
+const (
+	// ActionsTokenPermissionModePermissive - write access by default (current behavior, backwards compatible)
+	ActionsTokenPermissionModePermissive ActionsTokenPermissionMode = "permissive"
+	// ActionsTokenPermissionModeRestricted - read access by default
+	ActionsTokenPermissionModeRestricted ActionsTokenPermissionMode = "restricted"
+	// ActionsTokenPermissionModeCustom - user-defined permissions
+	ActionsTokenPermissionModeCustom ActionsTokenPermissionMode = "custom"
+)
+
+// ActionsTokenPermissions defines the permissions for different repository units
+type ActionsTokenPermissions struct {
+	// Contents (repository code) - read/write/none
+	Contents perm.AccessMode `json:"contents"`
+	// Issues - read/write/none
+	Issues perm.AccessMode `json:"issues"`
+	// PullRequests - read/write/none
+	PullRequests perm.AccessMode `json:"pull_requests"`
+	// Packages - read/write/none
+	Packages perm.AccessMode `json:"packages"`
+	// Actions - read/write/none
+	Actions perm.AccessMode `json:"actions"`
+	// Wiki - read/write/none
+	Wiki perm.AccessMode `json:"wiki"`
+}
+
+// HasAccess checks if the permission meets the required access level for the given scope
+func (p ActionsTokenPermissions) HasAccess(scope string, required perm.AccessMode) bool {
+	var mode perm.AccessMode
+	switch scope {
+	case "actions":
+		mode = p.Actions
+	case "contents":
+		mode = p.Contents
+	case "issues":
+		mode = p.Issues
+	case "packages":
+		mode = p.Packages
+	case "pull_requests":
+		mode = p.PullRequests
+	case "wiki":
+		mode = p.Wiki
+	}
+	return mode >= required
+}
+
+// HasRead checks if the permission has read access for the given scope (convenience wrapper for templates)
+func (p ActionsTokenPermissions) HasRead(scope string) bool {
+	return p.HasAccess(scope, perm.AccessModeRead)
+}
+
+// HasWrite checks if the permission has write access for the given scope (convenience wrapper for templates)
+func (p ActionsTokenPermissions) HasWrite(scope string) bool {
+	return p.HasAccess(scope, perm.AccessModeWrite)
+}
+
+// DefaultActionsTokenPermissions returns the default permissions for permissive mode
+func DefaultActionsTokenPermissions(mode ActionsTokenPermissionMode) ActionsTokenPermissions {
+	if mode == ActionsTokenPermissionModeRestricted {
+		return ActionsTokenPermissions{
+			Contents:     perm.AccessModeRead,
+			Issues:       perm.AccessModeRead,
+			PullRequests: perm.AccessModeRead,
+			Packages:     perm.AccessModeRead,
+			Actions:      perm.AccessModeRead,
+			Wiki:         perm.AccessModeRead,
+		}
+	}
+	// Permissive mode (default)
+	return ActionsTokenPermissions{
+		Contents:     perm.AccessModeWrite,
+		Issues:       perm.AccessModeWrite,
+		PullRequests: perm.AccessModeWrite,
+		Packages:     perm.AccessModeRead, // Packages read by default for security
+		Actions:      perm.AccessModeWrite,
+		Wiki:         perm.AccessModeWrite,
+	}
+}
+
+// ForkPullRequestPermissions returns the restricted permissions for fork pull requests
+func ForkPullRequestPermissions() ActionsTokenPermissions {
+	return ActionsTokenPermissions{
+		Contents:     perm.AccessModeRead,
+		Issues:       perm.AccessModeRead,
+		PullRequests: perm.AccessModeRead,
+		Packages:     perm.AccessModeRead,
+		Actions:      perm.AccessModeRead,
+		Wiki:         perm.AccessModeRead,
+	}
+}
+
 type ActionsConfig struct {
 	DisabledWorkflows []string
 	// CollaborativeOwnerIDs is a list of owner IDs used to share actions from private repos.
 	// Only workflows from the private repos whose owners are in CollaborativeOwnerIDs can access the current repo's actions.
 	CollaborativeOwnerIDs []int64
+	// TokenPermissionMode defines the default permission mode (permissive or restricted)
+	TokenPermissionMode ActionsTokenPermissionMode `json:"token_permission_mode,omitempty"`
+	// DefaultTokenPermissions defines the default permissions for workflow tokens
+	DefaultTokenPermissions *ActionsTokenPermissions `json:"default_token_permissions,omitempty"`
+	// MaxTokenPermissions defines the maximum permissions (cannot be exceeded by workflow permissions keyword)
+	MaxTokenPermissions *ActionsTokenPermissions `json:"max_token_permissions,omitempty"`
+	// AllowCrossRepoAccess indicates if actions in this repo/org can access other repos in the same org
+	AllowCrossRepoAccess bool `json:"allow_cross_repo_access,omitempty"`
 }
 
 func (cfg *ActionsConfig) EnableWorkflow(file string) {
@@ -209,6 +310,59 @@ func (cfg *ActionsConfig) IsCollaborativeOwner(ownerID int64) bool {
 	return slices.Contains(cfg.CollaborativeOwnerIDs, ownerID)
 }
 
+// GetTokenPermissionMode returns the token permission mode (defaults to permissive for backwards compatibility)
+func (cfg *ActionsConfig) GetTokenPermissionMode() ActionsTokenPermissionMode {
+	if cfg.TokenPermissionMode == "" {
+		return ActionsTokenPermissionModePermissive
+	}
+	return cfg.TokenPermissionMode
+}
+
+// GetEffectiveTokenPermissions returns the effective token permissions based on settings and context
+func (cfg *ActionsConfig) GetEffectiveTokenPermissions(isForkPullRequest bool) ActionsTokenPermissions {
+	// Fork pull requests always get restricted read-only access for security
+	if isForkPullRequest {
+		return ForkPullRequestPermissions()
+	}
+
+	// Use custom default permissions if set
+	if cfg.DefaultTokenPermissions != nil {
+		return *cfg.DefaultTokenPermissions
+	}
+
+	// Otherwise use mode-based defaults
+	return DefaultActionsTokenPermissions(cfg.GetTokenPermissionMode())
+}
+
+// GetMaxTokenPermissions returns the maximum allowed permissions
+func (cfg *ActionsConfig) GetMaxTokenPermissions() ActionsTokenPermissions {
+	if cfg.MaxTokenPermissions != nil {
+		return *cfg.MaxTokenPermissions
+	}
+	// Default max is write for everything except packages
+	return ActionsTokenPermissions{
+		Contents:     perm.AccessModeWrite,
+		Issues:       perm.AccessModeWrite,
+		PullRequests: perm.AccessModeWrite,
+		Packages:     perm.AccessModeWrite,
+		Actions:      perm.AccessModeWrite,
+		Wiki:         perm.AccessModeWrite,
+	}
+}
+
+// ClampPermissions ensures that the given permissions don't exceed the maximum
+func (cfg *ActionsConfig) ClampPermissions(perms ActionsTokenPermissions) ActionsTokenPermissions {
+	maxPerms := cfg.GetMaxTokenPermissions()
+	return ActionsTokenPermissions{
+		Contents:     min(perms.Contents, maxPerms.Contents),
+		Issues:       min(perms.Issues, maxPerms.Issues),
+		PullRequests: min(perms.PullRequests, maxPerms.PullRequests),
+		Packages:     min(perms.Packages, maxPerms.Packages),
+		Actions:      min(perms.Actions, maxPerms.Actions),
+		Wiki:         min(perms.Wiki, maxPerms.Wiki),
+	}
+}
+
 // FromDB fills up a ActionsConfig from serialized format.
 func (cfg *ActionsConfig) FromDB(bs []byte) error {
 	return json.UnmarshalHandleDoubleEncode(bs, &cfg)
diff --git a/models/repo/repo_unit_test.go b/models/repo/repo_unit_test.go
index 56dda5672d4ff..11b430e485fc7 100644
--- a/models/repo/repo_unit_test.go
+++ b/models/repo/repo_unit_test.go
@@ -6,6 +6,8 @@ package repo
 import (
 	"testing"
 
+	"code.gitea.io/gitea/models/perm"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -28,3 +30,76 @@ func TestActionsConfig(t *testing.T) {
 	cfg.DisableWorkflow("test3.yaml")
 	assert.Equal(t, "test1.yaml,test2.yaml,test3.yaml", cfg.ToString())
 }
+
+func TestActionsConfigTokenPermissions(t *testing.T) {
+	t.Run("Default Permission Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{}
+		assert.Equal(t, ActionsTokenPermissionModePermissive, cfg.GetTokenPermissionMode())
+	})
+
+	t.Run("Explicit Permission Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModeRestricted,
+		}
+		assert.Equal(t, ActionsTokenPermissionModeRestricted, cfg.GetTokenPermissionMode())
+	})
+
+	t.Run("Effective Permissions - Permissive Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModePermissive,
+		}
+		perms := cfg.GetEffectiveTokenPermissions(false)
+		assert.Equal(t, perm.AccessModeWrite, perms.Contents)
+		assert.Equal(t, perm.AccessModeWrite, perms.Issues)
+		assert.Equal(t, perm.AccessModeRead, perms.Packages) // Packages read by default for security
+	})
+
+	t.Run("Effective Permissions - Restricted Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModeRestricted,
+		}
+		perms := cfg.GetEffectiveTokenPermissions(false)
+		assert.Equal(t, perm.AccessModeRead, perms.Contents)
+		assert.Equal(t, perm.AccessModeRead, perms.Issues)
+		assert.Equal(t, perm.AccessModeRead, perms.Packages)
+	})
+
+	t.Run("Fork Pull Request Always Read-Only", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModePermissive,
+		}
+		// Even with permissive mode, fork PRs get read-only
+		perms := cfg.GetEffectiveTokenPermissions(true)
+		assert.Equal(t, perm.AccessModeRead, perms.Contents)
+		assert.Equal(t, perm.AccessModeRead, perms.Issues)
+		assert.Equal(t, perm.AccessModeRead, perms.Packages)
+	})
+
+	t.Run("Clamp Permissions", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			MaxTokenPermissions: &ActionsTokenPermissions{
+				Contents:     perm.AccessModeRead,
+				Issues:       perm.AccessModeWrite,
+				PullRequests: perm.AccessModeRead,
+				Packages:     perm.AccessModeRead,
+				Actions:      perm.AccessModeNone,
+				Wiki:         perm.AccessModeWrite,
+			},
+		}
+		input := ActionsTokenPermissions{
+			Contents:     perm.AccessModeWrite, // Should be clamped to Read
+			Issues:       perm.AccessModeWrite, // Should stay Write
+			PullRequests: perm.AccessModeWrite, // Should be clamped to Read
+			Packages:     perm.AccessModeWrite, // Should be clamped to Read
+			Actions:      perm.AccessModeRead,  // Should be clamped to None
+			Wiki:         perm.AccessModeRead,  // Should stay Read
+		}
+		clamped := cfg.ClampPermissions(input)
+		assert.Equal(t, perm.AccessModeRead, clamped.Contents)
+		assert.Equal(t, perm.AccessModeWrite, clamped.Issues)
+		assert.Equal(t, perm.AccessModeRead, clamped.PullRequests)
+		assert.Equal(t, perm.AccessModeRead, clamped.Packages)
+		assert.Equal(t, perm.AccessModeNone, clamped.Actions)
+		assert.Equal(t, perm.AccessModeRead, clamped.Wiki)
+	})
+}
diff --git a/options/locale/locale_en-US.json b/options/locale/locale_en-US.json
index 307cccf8bd6bf..8f420b9581e9b 100644
--- a/options/locale/locale_en-US.json
+++ b/options/locale/locale_en-US.json
@@ -3769,7 +3769,38 @@
     "general.add_collaborative_owner": "Add Collaborative Owner",
     "general.collaborative_owner_not_exist": "The collaborative owner does not exist.",
     "general.remove_collaborative_owner": "Remove Collaborative Owner",
-    "general.remove_collaborative_owner_desc": "Removing a collaborative owner will prevent the repositories of the owner from accessing the actions in this repository. Continue?"
+    "general.remove_collaborative_owner_desc": "Removing a collaborative owner will prevent the repositories of the owner from accessing the actions in this repository. Continue?",
+    "general.token_permissions": "Workflow Permissions",
+    "general.token_permissions.description": "Configure the default permissions granted to the GITHUB_TOKEN when running workflows in this repository.",
+    "general.token_permissions.mode": "Permission Mode",
+    "general.token_permissions.permissive": "Read and write permissions",
+    "general.token_permissions.permissive.description": "Workflows have read and write permissions in the repository for all scopes.",
+    "general.token_permissions.restricted": "Read repository contents and packages permissions",
+    "general.token_permissions.restricted.description": "Workflows have read permissions in the repository for the contents and packages scopes only.",
+    "general.token_permissions.fork_pr_note": "Note: For workflows triggered by a pull request from a forked repository, the default GITHUB_TOKEN is always read-only.",
+    "general.token_permissions.contents": "Contents",
+    "general.token_permissions.contents.description": "Access source code, files, commits and branches.",
+    "general.token_permissions.issues": "Issues",
+    "general.token_permissions.issues.description": "Organize bug reports, tasks and milestones.",
+    "general.token_permissions.pull_requests": "Pull Requests",
+    "general.token_permissions.pull_requests.description": "Enable pull requests and code reviews.",
+    "general.token_permissions.packages": "Packages",
+    "general.token_permissions.packages.description": "Manage repository packages.",
+    "general.token_permissions.actions_scope": "Actions",
+    "general.token_permissions.actions_scope.description": "Manage actions.",
+    "general.token_permissions.wiki": "Wiki",
+    "general.token_permissions.wiki.description": "Write and share documentation with collaborators.",
+    "general.token_permissions.access_read": "Read",
+    "general.token_permissions.access_write": "Write",
+    "general.token_permissions.access_none": "No access",
+    "general.token_permissions.update_success": "Token permissions updated successfully.",
+    "general.token_permissions.cross_repo": "Cross-Repository Access",
+    "general.token_permissions.cross_repo_desc": "Allow workflows in this organization to access other repositories within the same organization.",
+    "general.token_permissions.custom": "Custom permissions",
+    "general.token_permissions.custom.description": "Configure permissions for each scope individually.",
+    "general.token_permissions.individual": "Individual Permissions",
+    "general.token_permissions.maximum": "Maximum Permissions",
+    "general.token_permissions.maximum.description": "Configure the maximum permissions that can be requested by a workflow."
   },
   "projects": {
     "deleted.display_name": "Deleted Project",
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index f6ee5958b5bb9..1d1ae4291ea8d 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -6,6 +6,7 @@ package packages
 import (
 	"net/http"
 
+	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/log"
@@ -80,6 +81,58 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 			}
 		}
 
+		isActionsToken, _ := ctx.Data["IsActionsToken"].(bool)
+		if isActionsToken && ctx.Package != nil && ctx.Package.Owner != nil && ctx.Package.Owner.Visibility.IsPrivate() {
+			// Actions rules:
+			// 1. If the package key matches the task repo, allow.
+			// 2. If not, check cross-repo policy.
+
+			taskID, ok := ctx.Data["ActionsTaskID"].(int64)
+			if ok && taskID > 0 {
+				task, err := actions_model.GetTaskByID(ctx, taskID)
+				if err != nil {
+					log.Error("GetTaskByID: %v", err)
+					ctx.HTTPError(http.StatusInternalServerError, "GetTaskByID", err.Error())
+					return
+				}
+				if task == nil {
+					ctx.HTTPError(http.StatusInternalServerError, "GetTaskByID", "task not found")
+					return
+				}
+
+				var packageRepoID int64
+				if ctx.Package.Descriptor != nil && ctx.Package.Descriptor.Package != nil {
+					packageRepoID = ctx.Package.Descriptor.Package.RepoID
+				}
+
+				if task.RepoID != packageRepoID {
+					// 1. Private packages MUST be linked to a repository
+					if packageRepoID == 0 {
+						ctx.HTTPError(http.StatusForbidden, "reqPackageAccess", "private package must be linked to a repository to be accessed by Actions")
+						return
+					}
+
+					// 2. Check Org Cross-Repo Access Policy
+					if ctx.Package.Owner.IsOrganization() {
+						cfg, err := actions_model.GetOrgActionsConfig(ctx, ctx.Package.Owner.ID)
+						if err != nil {
+							log.Error("GetOrgActionsConfig: %v", err)
+							ctx.HTTPError(http.StatusInternalServerError, "GetOrgActionsConfig", err.Error())
+							return
+						}
+						if !cfg.AllowCrossRepoAccess {
+							ctx.HTTPError(http.StatusForbidden, "reqPackageAccess", "cross-repository package access is disabled")
+							return
+						}
+					}
+
+					// 3. Fallthrough to GetActionsUserRepoPermission
+					// We rely on the backend permission check below to handle other Cross-Repository restrictions
+					// (e.g., User collaborative owners, token scopes).
+				}
+			}
+		}
+
 		if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {
 			ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea Package API"`)
 			ctx.HTTPError(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
diff --git a/routers/web/org/setting/actions.go b/routers/web/org/setting/actions.go
new file mode 100644
index 0000000000000..949ceb1a2a213
--- /dev/null
+++ b/routers/web/org/setting/actions.go
@@ -0,0 +1,123 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/http"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/templates"
+	"code.gitea.io/gitea/services/context"
+)
+
+const (
+	tplSettingsActionsGeneral templates.TplName = "org/settings/actions_general"
+)
+
+// ActionsGeneral renders the actions general settings page
+func ActionsGeneral(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.actions")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsOrgSettingsActionsGeneral"] = true
+
+	// Load Org Actions Config
+	actionsCfg, err := actions_model.GetOrgActionsConfig(ctx, ctx.Org.Organization.AsUser().ID)
+	if err != nil {
+		ctx.ServerError("GetOrgActionsConfig", err)
+		return
+	}
+
+	ctx.Data["TokenPermissionMode"] = actionsCfg.GetTokenPermissionMode()
+	ctx.Data["TokenPermissionModePermissive"] = repo_model.ActionsTokenPermissionModePermissive
+	ctx.Data["TokenPermissionModeRestricted"] = repo_model.ActionsTokenPermissionModeRestricted
+	ctx.Data["TokenPermissionModeCustom"] = repo_model.ActionsTokenPermissionModeCustom
+	ctx.Data["DefaultTokenPermissions"] = actionsCfg.GetEffectiveTokenPermissions(false)
+	ctx.Data["MaxTokenPermissions"] = actionsCfg.GetMaxTokenPermissions()
+
+	ctx.Data["AllowCrossRepoAccess"] = actionsCfg.AllowCrossRepoAccess
+
+	ctx.HTML(http.StatusOK, tplSettingsActionsGeneral)
+}
+
+// ActionsGeneralPost responses for actions general settings page
+func ActionsGeneralPost(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("actions.actions")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsOrgSettingsActions"] = true
+
+	actionsCfg, err := actions_model.GetOrgActionsConfig(ctx, ctx.Org.Organization.AsUser().ID)
+	if err != nil {
+		ctx.ServerError("GetOrgActionsConfig", err)
+		return
+	}
+
+	// Update Token Permission Mode
+	permissionMode := repo_model.ActionsTokenPermissionMode(ctx.FormString("token_permission_mode"))
+	if permissionMode == repo_model.ActionsTokenPermissionModeRestricted ||
+		permissionMode == repo_model.ActionsTokenPermissionModePermissive ||
+		permissionMode == repo_model.ActionsTokenPermissionModeCustom {
+		actionsCfg.TokenPermissionMode = permissionMode
+	}
+
+	if actionsCfg.TokenPermissionMode == repo_model.ActionsTokenPermissionModeCustom {
+		// Custom mode uses radio buttons for each permission scope
+		parsePerm := func(name string) perm.AccessMode {
+			value := ctx.FormString(name)
+			switch value {
+			case "write":
+				return perm.AccessModeWrite
+			case "read":
+				return perm.AccessModeRead
+			default:
+				return perm.AccessModeNone
+			}
+		}
+
+		actionsCfg.DefaultTokenPermissions = &repo_model.ActionsTokenPermissions{
+			Actions:      parsePerm("perm_actions"),
+			Contents:     parsePerm("perm_contents"),
+			Issues:       parsePerm("perm_issues"),
+			Packages:     parsePerm("perm_packages"),
+			PullRequests: parsePerm("perm_pull_requests"),
+			Wiki:         parsePerm("perm_wiki"),
+		}
+	} else {
+		actionsCfg.DefaultTokenPermissions = nil
+	}
+
+	// Update Maximum Permissions (radio buttons: none/read/write)
+	parseMaxPerm := func(name string) perm.AccessMode {
+		value := ctx.FormString("max_" + name)
+		switch value {
+		case "write":
+			return perm.AccessModeWrite
+		case "read":
+			return perm.AccessModeRead
+		default:
+			return perm.AccessModeNone
+		}
+	}
+
+	actionsCfg.MaxTokenPermissions = &repo_model.ActionsTokenPermissions{
+		Actions:      parseMaxPerm("actions"),
+		Contents:     parseMaxPerm("contents"),
+		Issues:       parseMaxPerm("issues"),
+		Packages:     parseMaxPerm("packages"),
+		PullRequests: parseMaxPerm("pull_requests"),
+		Wiki:         parseMaxPerm("wiki"),
+	}
+
+	// Update Cross-Repo Access
+	actionsCfg.AllowCrossRepoAccess = ctx.FormBool("allow_cross_repo_access")
+
+	if err := actions_model.SetOrgActionsConfig(ctx, ctx.Org.Organization.AsUser().ID, actionsCfg); err != nil {
+		ctx.ServerError("SetOrgActionsConfig", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("org.settings.update_setting_success"))
+	ctx.Redirect(ctx.Org.OrgLink + "/settings/actions")
+}
diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
index 9c2c9242d34b6..cd3b0ae7bf796 100644
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"strings"
 
+	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
@@ -34,8 +35,18 @@ func ActionsGeneralSettings(ctx *context.Context) {
 		return
 	}
 
+	actionsCfg := actionsUnit.ActionsConfig()
+
+	// Token permission settings
+	ctx.Data["TokenPermissionMode"] = actionsCfg.GetTokenPermissionMode()
+	ctx.Data["TokenPermissionModePermissive"] = repo_model.ActionsTokenPermissionModePermissive
+	ctx.Data["TokenPermissionModeRestricted"] = repo_model.ActionsTokenPermissionModeRestricted
+	ctx.Data["TokenPermissionModeCustom"] = repo_model.ActionsTokenPermissionModeCustom
+	ctx.Data["DefaultTokenPermissions"] = actionsCfg.GetEffectiveTokenPermissions(false)
+	ctx.Data["MaxTokenPermissions"] = actionsCfg.GetMaxTokenPermissions()
+
 	if ctx.Repo.Repository.IsPrivate {
-		collaborativeOwnerIDs := actionsUnit.ActionsConfig().CollaborativeOwnerIDs
+		collaborativeOwnerIDs := actionsCfg.CollaborativeOwnerIDs
 		collaborativeOwners, err := user_model.GetUsersByIDs(ctx, collaborativeOwnerIDs)
 		if err != nil {
 			ctx.ServerError("GetUsersByIDs", err)
@@ -119,3 +130,84 @@ func DeleteCollaborativeOwner(ctx *context.Context) {
 
 	ctx.JSONOK()
 }
+
+// UpdateTokenPermissions updates the token permission settings for the repository
+func UpdateTokenPermissions(ctx *context.Context) {
+	redirectURL := ctx.Repo.RepoLink + "/settings/actions/general"
+
+	actionsUnit, err := ctx.Repo.Repository.GetUnit(ctx, unit_model.TypeActions)
+	if err != nil {
+		ctx.ServerError("GetUnit", err)
+		return
+	}
+
+	actionsCfg := actionsUnit.ActionsConfig()
+
+	// Update permission mode
+	permissionMode := repo_model.ActionsTokenPermissionMode(ctx.FormString("token_permission_mode"))
+	if permissionMode == repo_model.ActionsTokenPermissionModeRestricted ||
+		permissionMode == repo_model.ActionsTokenPermissionModePermissive ||
+		permissionMode == repo_model.ActionsTokenPermissionModeCustom {
+		actionsCfg.TokenPermissionMode = permissionMode
+	} else {
+		ctx.Flash.Error("Invalid token permission mode")
+		ctx.Redirect(redirectURL)
+		return
+	}
+
+	if actionsCfg.TokenPermissionMode == repo_model.ActionsTokenPermissionModeCustom {
+		// Custom mode uses radio buttons for each permission scope
+		parsePerm := func(name string) perm.AccessMode {
+			value := ctx.FormString(name)
+			switch value {
+			case "write":
+				return perm.AccessModeWrite
+			case "read":
+				return perm.AccessModeRead
+			default:
+				return perm.AccessModeNone
+			}
+		}
+
+		actionsCfg.DefaultTokenPermissions = &repo_model.ActionsTokenPermissions{
+			Actions:      parsePerm("perm_actions"),
+			Contents:     parsePerm("perm_contents"),
+			Issues:       parsePerm("perm_issues"),
+			Packages:     parsePerm("perm_packages"),
+			PullRequests: parsePerm("perm_pull_requests"),
+			Wiki:         parsePerm("perm_wiki"),
+		}
+	} else {
+		actionsCfg.DefaultTokenPermissions = nil
+	}
+
+	// Update Maximum Permissions (radio buttons: none/read/write)
+	parseMaxPerm := func(name string) perm.AccessMode {
+		value := ctx.FormString("max_" + name)
+		switch value {
+		case "write":
+			return perm.AccessModeWrite
+		case "read":
+			return perm.AccessModeRead
+		default:
+			return perm.AccessModeNone
+		}
+	}
+
+	actionsCfg.MaxTokenPermissions = &repo_model.ActionsTokenPermissions{
+		Actions:      parseMaxPerm("actions"),
+		Contents:     parseMaxPerm("contents"),
+		Issues:       parseMaxPerm("issues"),
+		Packages:     parseMaxPerm("packages"),
+		PullRequests: parseMaxPerm("pull_requests"),
+		Wiki:         parseMaxPerm("wiki"),
+	}
+
+	if err := repo_model.UpdateRepoUnit(ctx, actionsUnit); err != nil {
+		ctx.ServerError("UpdateRepoUnit", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))
+	ctx.Redirect(redirectURL)
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index 86e51d607e2fd..73b9a5dd0ba0b 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -961,7 +961,8 @@ func registerWebRoutes(m *web.Router) {
 				})
 
 				m.Group("/actions", func() {
-					m.Get("", org_setting.RedirectToDefaultSetting)
+					m.Get("", org_setting.ActionsGeneral)
+					m.Post("", org_setting.ActionsGeneralPost)
 					addSettingsRunnersRoutes()
 					addSettingsSecretsRoutes()
 					addSettingsVariablesRoutes()
@@ -1167,6 +1168,7 @@ func registerWebRoutes(m *web.Router) {
 					m.Post("/add", repo_setting.AddCollaborativeOwner)
 					m.Post("/delete", repo_setting.DeleteCollaborativeOwner)
 				})
+				m.Post("/token_permissions", repo_setting.UpdateTokenPermissions)
 			})
 		}, actions.MustEnableActions)
 		// the follow handler must be under "settings", otherwise this incomplete repo can't be accessed
diff --git a/templates/org/settings/actions_general.tmpl b/templates/org/settings/actions_general.tmpl
new file mode 100644
index 0000000000000..374e0cf46d770
--- /dev/null
+++ b/templates/org/settings/actions_general.tmpl
@@ -0,0 +1,215 @@
+{{template "org/settings/layout_head" .}}
+<div class="org-setting-content">
+	<h4 class="ui top attached header">
+		{{ctx.Locale.Tr "actions.actions"}} - {{ctx.Locale.Tr "settings.general"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" action="{{.Link}}" method="post">
+			{{.CsrfTokenHtml}}
+
+			<!-- Cross-Repository Access -->
+			<div class="field">
+				<div class="ui checkbox">
+					<input type="checkbox" name="allow_cross_repo_access" {{if .AllowCrossRepoAccess}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "actions.general.token_permissions.cross_repo"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.cross_repo_desc"}}</p>
+			</div>
+
+			<div class="divider"></div>
+
+			<!-- Default Permission Mode -->
+			<h5 class="ui header">
+				{{ctx.Locale.Tr "actions.general.token_permissions.mode"}}
+			</h5>
+			<div class="grouped fields">
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input type="radio" name="token_permission_mode" value="permissive" {{if eq .TokenPermissionMode .TokenPermissionModePermissive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "actions.general.token_permissions.permissive"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.permissive.description"}}</p>
+				</div>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input type="radio" name="token_permission_mode" value="restricted" {{if eq .TokenPermissionMode .TokenPermissionModeRestricted}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "actions.general.token_permissions.restricted"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.restricted.description"}}</p>
+				</div>
+			</div>
+
+			<div class="divider"></div>
+
+			<!-- Maximum Permissions Table -->
+			<h5 class="ui header">
+				{{ctx.Locale.Tr "actions.general.token_permissions.maximum"}}
+			</h5>
+			<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.maximum.description"}}</p>
+
+			<table class="ui celled table">
+				<thead>
+					<tr>
+						<th style="width: 40%">{{ctx.Locale.Tr "units.unit"}}</th>
+						<th style="width: 20%; text-align: center">{{ctx.Locale.Tr "actions.general.token_permissions.access_none"}}</th>
+						<th style="width: 20%; text-align: center">{{ctx.Locale.Tr "actions.general.token_permissions.access_read"}}</th>
+						<th style="width: 20%; text-align: center">{{ctx.Locale.Tr "actions.general.token_permissions.access_write"}}</th>
+					</tr>
+				</thead>
+				<tbody>
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.contents"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.contents.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_contents" value="none" {{if not ($.MaxTokenPermissions.HasRead "contents")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_contents" value="read" {{if and ($.MaxTokenPermissions.HasRead "contents") (not ($.MaxTokenPermissions.HasWrite "contents"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_contents" value="write" {{if $.MaxTokenPermissions.HasWrite "contents"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.issues"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.issues.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_issues" value="none" {{if not ($.MaxTokenPermissions.HasRead "issues")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_issues" value="read" {{if and ($.MaxTokenPermissions.HasRead "issues") (not ($.MaxTokenPermissions.HasWrite "issues"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_issues" value="write" {{if $.MaxTokenPermissions.HasWrite "issues"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.pull_requests"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.pull_requests.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_pull_requests" value="none" {{if not ($.MaxTokenPermissions.HasRead "pull_requests")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_pull_requests" value="read" {{if and ($.MaxTokenPermissions.HasRead "pull_requests") (not ($.MaxTokenPermissions.HasWrite "pull_requests"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_pull_requests" value="write" {{if $.MaxTokenPermissions.HasWrite "pull_requests"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.wiki"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.wiki.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_wiki" value="none" {{if not ($.MaxTokenPermissions.HasRead "wiki")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_wiki" value="read" {{if and ($.MaxTokenPermissions.HasRead "wiki") (not ($.MaxTokenPermissions.HasWrite "wiki"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_wiki" value="write" {{if $.MaxTokenPermissions.HasWrite "wiki"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.packages"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.packages.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_packages" value="none" {{if not ($.MaxTokenPermissions.HasRead "packages")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_packages" value="read" {{if and ($.MaxTokenPermissions.HasRead "packages") (not ($.MaxTokenPermissions.HasWrite "packages"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_packages" value="write" {{if $.MaxTokenPermissions.HasWrite "packages"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.actions_scope"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.actions_scope.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_actions" value="none" {{if not ($.MaxTokenPermissions.HasRead "actions")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_actions" value="read" {{if and ($.MaxTokenPermissions.HasRead "actions") (not ($.MaxTokenPermissions.HasWrite "actions"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_actions" value="write" {{if $.MaxTokenPermissions.HasWrite "actions"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+				</tbody>
+			</table>
+
+			<div class="divider"></div>
+
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "repo.settings.update_settings"}}</button>
+			</div>
+		</form>
+	</div>
+</div>
+{{template "org/settings/layout_footer" .}}
diff --git a/templates/org/settings/navbar.tmpl b/templates/org/settings/navbar.tmpl
index 58475de7e7a31..4c06b2cb1baf3 100644
--- a/templates/org/settings/navbar.tmpl
+++ b/templates/org/settings/navbar.tmpl
@@ -26,9 +26,12 @@
 		</a>
 		{{end}}
 		{{if .EnableActions}}
-		<details class="item toggleable-item" {{if or .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
+		<details class="item toggleable-item" {{if or .PageIsOrgSettingsActionsGeneral .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>
 			<div class="menu">
+				<a class="{{if .PageIsOrgSettingsActionsGeneral}}active {{end}}item" href="{{.OrgLink}}/settings/actions">
+					{{ctx.Locale.Tr "settings.general"}}
+				</a>
 				<a class="{{if .PageIsSharedSettingsRunners}}active {{end}}item" href="{{.OrgLink}}/settings/actions/runners">
 					{{ctx.Locale.Tr "actions.runners"}}
 				</a>
diff --git a/templates/repo/settings/actions_general.tmpl b/templates/repo/settings/actions_general.tmpl
index 06b7c8bad5025..35c3840001b55 100644
--- a/templates/repo/settings/actions_general.tmpl
+++ b/templates/repo/settings/actions_general.tmpl
@@ -1,4 +1,216 @@
+{{template "repo/settings/layout_head" .}}
 <div class="repo-setting-content">
+	<h4 class="ui top attached header">
+		{{ctx.Locale.Tr "actions.actions"}} - {{ctx.Locale.Tr "settings.general"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" action="{{.RepoLink}}/settings/actions/general/token_permissions" method="post">
+			{{.CsrfTokenHtml}}
+
+			<!-- Permission Mode Selection -->
+			<div class="field">
+				<label>{{ctx.Locale.Tr "actions.general.token_permissions.mode"}}</label>
+				<div class="grouped fields">
+					<div class="field">
+						<div class="ui radio checkbox">
+							<input type="radio" name="token_permission_mode" value="{{.TokenPermissionModePermissive}}" {{if eq .TokenPermissionMode .TokenPermissionModePermissive}}checked{{end}}>
+							<label>{{ctx.Locale.Tr "actions.general.token_permissions.permissive"}}</label>
+							<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.permissive.description"}}</p>
+						</div>
+					</div>
+					<div class="field">
+						<div class="ui radio checkbox">
+							<input type="radio" name="token_permission_mode" value="{{.TokenPermissionModeRestricted}}" {{if eq .TokenPermissionMode .TokenPermissionModeRestricted}}checked{{end}}>
+							<label>{{ctx.Locale.Tr "actions.general.token_permissions.restricted"}}</label>
+							<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.restricted.description"}}</p>
+						</div>
+					</div>
+				</div>
+			</div>
+
+			<p class="text muted">{{ctx.Locale.Tr "actions.general.token_permissions.fork_pr_note"}}</p>
+
+			<div class="divider"></div>
+
+			<!-- Maximum Permissions Table -->
+			<h5 class="ui header">
+				{{ctx.Locale.Tr "actions.general.token_permissions.maximum"}}
+				<span class="ui red text">*</span>
+			</h5>
+			<p class="help">{{ctx.Locale.Tr "actions.general.token_permissions.maximum.description"}}</p>
+
+			<table class="ui celled table">
+				<thead>
+					<tr>
+						<th style="width: 40%">{{ctx.Locale.Tr "units.unit"}}</th>
+						<th style="width: 20%; text-align: center">{{ctx.Locale.Tr "actions.general.token_permissions.access_none"}} <span class="ui basic circular label" data-tooltip="No access to this resource">?</span></th>
+						<th style="width: 20%; text-align: center">{{ctx.Locale.Tr "actions.general.token_permissions.access_read"}} <span class="ui basic circular label" data-tooltip="Read-only access">?</span></th>
+						<th style="width: 20%; text-align: center">{{ctx.Locale.Tr "actions.general.token_permissions.access_write"}} <span class="ui basic circular label" data-tooltip="Read and write access">?</span></th>
+					</tr>
+				</thead>
+				<tbody>
+					<!-- Code -->
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.contents"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.contents.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_contents" value="none" {{if not ($.MaxTokenPermissions.HasRead "contents")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_contents" value="read" {{if and ($.MaxTokenPermissions.HasRead "contents") (not ($.MaxTokenPermissions.HasWrite "contents"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_contents" value="write" {{if $.MaxTokenPermissions.HasWrite "contents"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<!-- Issues -->
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.issues"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.issues.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_issues" value="none" {{if not ($.MaxTokenPermissions.HasRead "issues")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_issues" value="read" {{if and ($.MaxTokenPermissions.HasRead "issues") (not ($.MaxTokenPermissions.HasWrite "issues"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_issues" value="write" {{if $.MaxTokenPermissions.HasWrite "issues"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<!-- Pull Requests -->
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.pull_requests"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.pull_requests.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_pull_requests" value="none" {{if not ($.MaxTokenPermissions.HasRead "pull_requests")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_pull_requests" value="read" {{if and ($.MaxTokenPermissions.HasRead "pull_requests") (not ($.MaxTokenPermissions.HasWrite "pull_requests"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_pull_requests" value="write" {{if $.MaxTokenPermissions.HasWrite "pull_requests"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<!-- Wiki -->
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.wiki"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.wiki.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_wiki" value="none" {{if not ($.MaxTokenPermissions.HasRead "wiki")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_wiki" value="read" {{if and ($.MaxTokenPermissions.HasRead "wiki") (not ($.MaxTokenPermissions.HasWrite "wiki"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_wiki" value="write" {{if $.MaxTokenPermissions.HasWrite "wiki"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<!-- Packages -->
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.packages"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.packages.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_packages" value="none" {{if not ($.MaxTokenPermissions.HasRead "packages")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_packages" value="read" {{if and ($.MaxTokenPermissions.HasRead "packages") (not ($.MaxTokenPermissions.HasWrite "packages"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_packages" value="write" {{if $.MaxTokenPermissions.HasWrite "packages"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+					<!-- Actions -->
+					<tr>
+						<td>
+							<strong>{{ctx.Locale.Tr "actions.general.token_permissions.actions_scope"}}</strong>
+							<p class="text small grey">{{ctx.Locale.Tr "actions.general.token_permissions.actions_scope.description"}}</p>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_actions" value="none" {{if not ($.MaxTokenPermissions.HasRead "actions")}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_actions" value="read" {{if and ($.MaxTokenPermissions.HasRead "actions") (not ($.MaxTokenPermissions.HasWrite "actions"))}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+						<td style="text-align: center">
+							<div class="ui radio checkbox">
+								<input type="radio" name="max_actions" value="write" {{if $.MaxTokenPermissions.HasWrite "actions"}}checked{{end}}>
+								<label></label>
+							</div>
+						</td>
+					</tr>
+				</tbody>
+			</table>
+
+			<div class="divider"></div>
+
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "repo.settings.update_settings"}}</button>
+			</div>
+		</form>
+	</div>
+
+	<!-- Enable/Disable Actions Section -->
 	<h4 class="ui top attached header">
 		{{ctx.Locale.Tr "actions.general.enable_actions"}}
 	</h4>
@@ -25,6 +237,7 @@
 
 {{if and .EnableActions (.Permission.CanRead ctx.Consts.RepoUnitTypeActions)}}
 	{{if .Repository.IsPrivate}}
+	<!-- Collaborative Owners Section -->
 	<h4 class="ui top attached header">
 		{{ctx.Locale.Tr "actions.general.collaborative_owners_management"}}
 	</h4>
@@ -67,3 +280,4 @@
 	{{end}}
 {{end}}
 </div>
+{{template "repo/settings/layout_footer" .}}
diff --git a/tests/integration/actions_job_token_test.go b/tests/integration/actions_job_token_test.go
index c4e8e880eb824..58980e482b87b 100644
--- a/tests/integration/actions_job_token_test.go
+++ b/tests/integration/actions_job_token_test.go
@@ -5,6 +5,7 @@ package integration
 
 import (
 	"encoding/base64"
+	"fmt"
 	"net/http"
 	"net/url"
 	"testing"
@@ -12,6 +13,10 @@ import (
 	actions_model "code.gitea.io/gitea/models/actions"
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
+	org_model "code.gitea.io/gitea/models/organization"
+	"code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
@@ -87,6 +92,14 @@ func TestActionsJobTokenAccessLFS(t *testing.T) {
 			task.RepoID = repository.ID
 			err := db.Insert(t.Context(), task)
 			require.NoError(t, err)
+
+			// Enable Actions unit for the repository
+			err = db.Insert(t.Context(), &repo_model.RepoUnit{
+				RepoID: repository.ID,
+				Type:   unit_model.TypeActions,
+				Config: &repo_model.ActionsConfig{},
+			})
+			require.NoError(t, err)
 			session := emptyTestSession(t)
 			httpContext := APITestContext{
 				Session:  session,
@@ -115,3 +128,242 @@ func TestActionsJobTokenAccessLFS(t *testing.T) {
 		}))
 	})
 }
+
+func TestActionsTokenPermissionsModes(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		t.Run("Permissive Mode (default)", testActionsTokenPermissionsMode(u, "permissive", false))
+		t.Run("Restricted Mode", testActionsTokenPermissionsMode(u, "restricted", true))
+	})
+}
+
+func testActionsTokenPermissionsMode(u *url.URL, mode string, expectReadOnly bool) func(t *testing.T) {
+	return func(t *testing.T) {
+		// Update repository settings to the requested mode
+		if mode != "" {
+			repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: "repo4", OwnerName: "user5"})
+			require.NoError(t, repo.LoadUnits(t.Context()))
+			actionsUnit, err := repo.GetUnit(t.Context(), unit_model.TypeActions)
+			require.NoError(t, err, "Actions unit should exist for repo4")
+			actionsCfg := actionsUnit.ActionsConfig()
+			actionsCfg.TokenPermissionMode = repo_model.ActionsTokenPermissionMode(mode)
+			actionsCfg.DefaultTokenPermissions = nil // Ensure no custom permissions override the mode
+			actionsCfg.MaxTokenPermissions = nil     // Ensure no max permissions interfere
+			// Update the config
+			actionsUnit.Config = actionsCfg
+			require.NoError(t, repo_model.UpdateRepoUnit(t.Context(), actionsUnit))
+		}
+
+		// Load a task that can be used for testing
+		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 47})
+		// Regenerate token to pick up new permissions if any (though currently permissions are checked at runtime)
+		require.NoError(t, task.GenerateToken())
+		task.Status = actions_model.StatusRunning
+		task.IsForkPullRequest = false // Not a fork PR
+		err := actions_model.UpdateTask(t.Context(), task, "token_hash", "token_salt", "token_last_eight", "status", "is_fork_pull_request")
+		require.NoError(t, err)
+
+		session := emptyTestSession(t)
+		context := APITestContext{
+			Session:  session,
+			Token:    task.Token,
+			Username: "user5",
+			Reponame: "repo4",
+		}
+		dstPath := t.TempDir()
+
+		u.Path = context.GitPath()
+		u.User = url.UserPassword("gitea-actions", task.Token)
+
+		// Git clone should always work (read access)
+		t.Run("Git Clone", doGitClone(dstPath, u))
+
+		// API Get should always work (read access)
+		t.Run("API Get Repository", doAPIGetRepository(context, func(t *testing.T, r structs.Repository) {
+			require.Equal(t, "repo4", r.Name)
+			require.Equal(t, "user5", r.Owner.UserName)
+		}))
+
+		var sha string
+
+		// Test Write Access
+		if expectReadOnly {
+			context.ExpectedCode = http.StatusForbidden
+		} else {
+			context.ExpectedCode = 0
+		}
+		t.Run("API Create File", doAPICreateFile(context, "test-permissions.txt", &structs.CreateFileOptions{
+			FileOptions: structs.FileOptions{
+				BranchName: "master",
+				Message:    "Create File",
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte(`This is a test file for permissions.`)),
+		}, func(t *testing.T, resp structs.FileResponse) {
+			sha = resp.Content.SHA
+			require.NotEmpty(t, sha, "SHA should not be empty")
+		}))
+
+		// Test Delete Access
+		if expectReadOnly {
+			context.ExpectedCode = http.StatusForbidden
+		} else {
+			context.ExpectedCode = 0
+		}
+		if !expectReadOnly {
+			// Clean up created file if we had write access
+			t.Run("API Delete File", func(t *testing.T) {
+				t.Logf("Deleting file with SHA: %s", sha)
+				require.NotEmpty(t, sha, "SHA must be captured before deletion")
+				deleteOpts := &structs.DeleteFileOptions{
+					FileOptions: structs.FileOptions{
+						BranchName: "master",
+						Message:    "Delete File",
+					},
+					SHA: sha,
+				}
+				req := NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", context.Username, context.Reponame, "test-permissions.txt"), deleteOpts).
+					AddTokenAuth(context.Token)
+				if context.ExpectedCode != 0 {
+					context.Session.MakeRequest(t, req, context.ExpectedCode)
+					return
+				}
+				context.Session.MakeRequest(t, req, http.StatusOK)
+			})
+		}
+	}
+}
+
+func TestActionsTokenPermissionsClamping(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		httpContext := NewAPITestContext(t, "user2", "repo-clamping", auth_model.AccessTokenScopeWriteUser, auth_model.AccessTokenScopeWriteRepository)
+		t.Run("Create Repository", doAPICreateRepository(httpContext, false, func(t *testing.T, repository structs.Repository) {
+			// Enable Actions unit with Clamping Config
+			err := db.Insert(t.Context(), &repo_model.RepoUnit{
+				RepoID: repository.ID,
+				Type:   unit_model.TypeActions,
+				Config: &repo_model.ActionsConfig{
+					TokenPermissionMode: repo_model.ActionsTokenPermissionModeCustom,
+					DefaultTokenPermissions: &repo_model.ActionsTokenPermissions{
+						Contents: perm.AccessModeWrite, // Default is Write
+					},
+					MaxTokenPermissions: &repo_model.ActionsTokenPermissions{
+						Contents: perm.AccessModeRead, // Max is Read
+					},
+				},
+			})
+			require.NoError(t, err)
+
+			// Create Task and Token
+			task := &actions_model.ActionTask{
+				RepoID:            repository.ID,
+				Status:            actions_model.StatusRunning,
+				IsForkPullRequest: false,
+			}
+			require.NoError(t, task.GenerateToken())
+			require.NoError(t, db.Insert(t.Context(), task))
+
+			// Verify Token Permissions
+			session := emptyTestSession(t)
+			testCtx := APITestContext{
+				Session:  session,
+				Token:    task.Token,
+				Username: "user2",
+				Reponame: "repo-clamping",
+			}
+
+			// 1. Try to Write (Create File) - Should Fail (403) because Max is Read
+			testCtx.ExpectedCode = http.StatusForbidden
+			t.Run("Fail to Create File (Max Clamping)", doAPICreateFile(testCtx, "clamping.txt", &structs.CreateFileOptions{
+				ContentBase64: base64.StdEncoding.EncodeToString([]byte("test")),
+			}))
+
+			// 2. Try to Read (Get Repository) - Should Succeed (200)
+			testCtx.ExpectedCode = http.StatusOK
+			t.Run("Get Repository (Read Allowed)", doAPIGetRepository(testCtx, func(t *testing.T, r structs.Repository) {
+				assert.Equal(t, "repo-clamping", r.Name)
+			}))
+		}))
+	})
+}
+
+func TestActionsCrossRepoAccess(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		session := loginUser(t, "user2")
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteOrganization)
+
+		// 1. Create Organization
+		orgName := "org-cross-test"
+		req := NewRequestWithJSON(t, "POST", "/api/v1/orgs", &structs.CreateOrgOption{
+			UserName: orgName,
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusCreated)
+
+		// 2. Create Two Repositories in Org
+		createRepoInOrg := func(name string) int64 {
+			req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/repos", orgName), &structs.CreateRepoOption{
+				Name:     name,
+				AutoInit: true,
+				Private:  true, // Must be private for potential restrictions
+			}).AddTokenAuth(token)
+			resp := MakeRequest(t, req, http.StatusCreated)
+			var repo structs.Repository
+			DecodeJSON(t, resp, &repo)
+			return repo.ID
+		}
+
+		repoAID := createRepoInOrg("repo-A")
+		repoBID := createRepoInOrg("repo-B")
+
+		// 3. Enable Actions in Repo A (Source) and Repo B (Target)
+		enableActions := func(repoID int64) {
+			err := db.Insert(t.Context(), &repo_model.RepoUnit{
+				RepoID: repoID,
+				Type:   unit_model.TypeActions,
+				Config: &repo_model.ActionsConfig{
+					TokenPermissionMode: repo_model.ActionsTokenPermissionModePermissive,
+				},
+			})
+			require.NoError(t, err)
+		}
+
+		enableActions(repoAID)
+		enableActions(repoBID)
+
+		// 4. Create Task in Repo A
+		task := &actions_model.ActionTask{
+			RepoID:            repoAID,
+			Status:            actions_model.StatusRunning,
+			IsForkPullRequest: false,
+		}
+		require.NoError(t, task.GenerateToken())
+		require.NoError(t, db.Insert(t.Context(), task))
+
+		// 5. Verify Access to Repo B (Target)
+		testCtx := APITestContext{
+			Session:  emptyTestSession(t),
+			Token:    task.Token,
+			Username: orgName,
+			Reponame: "repo-B",
+		}
+
+		// Case A: Default (AllowCrossRepoAccess = false/unset) -> Should Fail (404 Not Found)
+		// API returns 404 for private repos you can't access, not 403, to avoid leaking existence.
+		testCtx.ExpectedCode = http.StatusNotFound
+		t.Run("Cross-Repo Access Denied (Default)", doAPIGetRepository(testCtx, nil))
+
+		// Case B: Enable AllowCrossRepoAccess
+		org, err := org_model.GetOrgByName(t.Context(), orgName)
+		require.NoError(t, err)
+
+		cfg := &repo_model.ActionsConfig{
+			AllowCrossRepoAccess: true,
+		}
+		err = actions_model.SetOrgActionsConfig(t.Context(), org.ID, cfg)
+		require.NoError(t, err)
+
+		// Retry -> Should Succeed (200) - Read Only
+		testCtx.ExpectedCode = http.StatusOK
+		t.Run("Cross-Repo Access Allowed", doAPIGetRepository(testCtx, func(t *testing.T, r structs.Repository) {
+			assert.Equal(t, "repo-B", r.Name)
+		}))
+	})
+}
diff --git a/web_src/js/features/repo-settings-actions.ts b/web_src/js/features/repo-settings-actions.ts
new file mode 100644
index 0000000000000..44809d2781393
--- /dev/null
+++ b/web_src/js/features/repo-settings-actions.ts
@@ -0,0 +1,6 @@
+// initRepoSettingsActionsPermissions is currently a no-op placeholder.
+// The permission mode radio buttons work via standard HTML form submission
+// without requiring JavaScript for toggling visibility.
+export function initRepoSettingsActionsPermissions(): void {
+  // No-op - form submission handles permission updates
+}
diff --git a/web_src/js/index-domready.ts b/web_src/js/index-domready.ts
index 660e5c0989610..da1f3f80d0995 100644
--- a/web_src/js/index-domready.ts
+++ b/web_src/js/index-domready.ts
@@ -64,6 +64,7 @@ import {initGlobalButtonClickOnEnter, initGlobalButtons, initGlobalDeleteButton}
 import {initGlobalComboMarkdownEditor, initGlobalEnterQuickSubmit, initGlobalFormDirtyLeaveConfirm} from './features/common-form.ts';
 import {callInitFunctions} from './modules/init.ts';
 import {initRepoViewFileTree} from './features/repo-view-file-tree.ts';
+import {initRepoSettingsActionsPermissions} from './features/repo-settings-actions.ts';
 
 const initStartTime = performance.now();
 const initPerformanceTracer = callInitFunctions([
@@ -158,6 +159,7 @@ const initPerformanceTracer = callInitFunctions([
   initOAuth2SettingsDisableCheckbox,
 
   initRepoFileView,
+  initRepoSettingsActionsPermissions,
 ]);
 
 // it must be the last one, then the "querySelectorAll" only needs to be executed once for global init functions.