feat: Add configurable permissions for Actions automatic tokens (#36173)

## Overview This PR introduces granular permission controls for Gitea Actions tokens (`GITEA_TOKEN`), aligning Gitea's security model with GitHub Actions standards while maintaining compatibility with Gitea's unique repository unit system. It addresses the need for finer access control by allowing administrators and repository owners to define default token permissions, set maximum permission ceilings, and control cross-repository access within organizations. ## Key Features ### 1. Granular Token Permissions - **Standard Keyword Support**: Implements support for the `permissions:` keyword in workflow and job YAML files (e.g., `contents: read`, `issues: write`). - **Permission Modes**: - **Permissive**: Default write access for most units (backwards compatible). - **Restricted**: Default read-only access for `contents` and `packages`, with no access to other units. - ~~**Custom**: Allows defining specific default levels for each unit type (Code, Issues, PRs, Packages, etc.).~~**EDIT removed UI was confusing** - **Clamping Logic**: Workflow-defined permissions are automatically "clamped" by repository or organization-level maximum settings. Workflows cannot escalate their own permissions beyond these limits. ### 2. Organization & Repository Settings - **Settings UI**: Added new settings pages at both Organization and Repository levels to manage Actions token defaults and maximums. - **Inheritance**: Repositories can be configured to "Follow organization-level configuration," simplifying management across large organizations. - **Cross-Repository Access**: Added a policy to control whether Actions workflows can access other repositories or packages within the same organization. This can be set to "None," "All," or restricted to a "Selected" list of repositories. ### 3. Security Hardening - **Fork Pull Request Protection**: Tokens for workflows triggered by pull requests from forks are strictly enforced as read-only, regardless of repository settings. - ~~**Package Access**: Actions tokens can now only access packages explicitly linked to a repository, with cross-repo access governed by the organization's security policy.~~ **EDIT removed https://github.com/go-gitea/gitea/pull/36173#issuecomment-3873675346** - **Git Hook Integration**: Propagates Actions Task IDs to git hooks to ensure that pushes performed by Actions tokens respect the specific permissions granted at runtime. ### 4. Technical Implementation - **Permission Persistence**: Parsed permissions are calculated at job creation and stored in the `action_run_job` table. This ensures the token's authority is deterministic throughout the job's lifecycle. - **Parsing Priority**: Implemented a priority system in the YAML parser where the broad `contents` scope is applied first, allowing granular scopes like `code` or `releases` to override it for precise control. - **Re-runs**: Permissions are re-evaluated during a job re-run to incorporate any changes made to repository settings in the interim. ### How to Test 1. **Unit Tests**: Run `go test ./services/actions/...` and `go test ./models/repo/...` to verify parsing logic and permission clamping. 2. **Integration Tests**: Comprehensive tests have been added to `tests/integration/actions_job_token_test.go` covering: - Permissive vs. Restricted mode behavior. - YAML `permissions:` keyword evaluation. - Organization cross-repo access policies. - Resource access (Git, API, and Packages) under various permission configs. 3. **Manual Verification**: - Navigate to **Site/Org/Repo Settings -> Actions -> General**. - Change "Default Token Permissions" and verify that newly triggered workflows reflect these changes in their `GITEA_TOKEN` capabilities. - Attempt a cross-repo API call from an Action and verify the Org policy is enforced. ## Documentation Added a PR in gitea's docs for this : https://gitea.com/gitea/docs/pulls/318 ## UI: <img width="1366" height="619" alt="Screenshot 2026-01-24 174112" src="https://github.com/user-attachments/assets/bfa29c9a-4ea5-4346-9410-16d491ef3d44" /> <img width="1360" height="621" alt="Screenshot 2026-01-24 174048" src="https://github.com/user-attachments/assets/d5ec46c8-9a13-4874-a6a4-fb379936cef5" /> /fixes #24635 /claim #24635 --------- Signed-off-by: Excellencedev <ademiluyisuccessandexcellence@gmail.com> Signed-off-by: ChristopherHX <christopher.homberger@web.de> Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: ChristopherHX <christopher.homberger@web.de> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-21 23:39:47 +01:00
parent b22123ef86
commit 45809c8f54
57 changed files with 2203 additions and 299 deletions
--- a/models/actions/config.go
+++ b/models/actions/config.go
@@ -0,0 +1,74 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
+
+	"xorm.io/xorm/convert"
+)
+
+// OwnerActionsConfig defines the Actions configuration for a user or organization
+type OwnerActionsConfig struct {
+	// TokenPermissionMode defines the default permission mode (permissive, restricted)
+	TokenPermissionMode repo_model.ActionsTokenPermissionMode `json:"token_permission_mode,omitempty"`
+
+	// MaxTokenPermissions defines the absolute maximum permissions any token can have in this context.
+	MaxTokenPermissions *repo_model.ActionsTokenPermissions `json:"max_token_permissions,omitempty"`
+
+	// AllowedCrossRepoIDs is a list of specific repo IDs that can be accessed cross-repo
+	AllowedCrossRepoIDs []int64 `json:"allowed_cross_repo_ids,omitempty"`
+}
+
+var _ convert.ConversionFrom = (*OwnerActionsConfig)(nil)
+
+func (cfg *OwnerActionsConfig) FromDB(bytes []byte) error {
+	_ = json.Unmarshal(bytes, cfg)
+	cfg.TokenPermissionMode, _ = util.EnumValue(cfg.TokenPermissionMode)
+	return nil
+}
+
+// GetOwnerActionsConfig loads the OwnerActionsConfig for a user or organization from user settings
+// It returns a default config if no setting is found
+func GetOwnerActionsConfig(ctx context.Context, userID int64) (ret OwnerActionsConfig, err error) {
+	return user_model.GetUserSettingJSON(ctx, userID, user_model.SettingsKeyActionsConfig, ret)
+}
+
+// SetOwnerActionsConfig saves the OwnerActionsConfig for a user or organization to user settings
+func SetOwnerActionsConfig(ctx context.Context, userID int64, cfg OwnerActionsConfig) error {
+	return user_model.SetUserSettingJSON(ctx, userID, user_model.SettingsKeyActionsConfig, cfg)
+}
+
+// GetDefaultTokenPermissions returns the default token permissions by its TokenPermissionMode.
+func (cfg *OwnerActionsConfig) GetDefaultTokenPermissions() repo_model.ActionsTokenPermissions {
+	switch cfg.TokenPermissionMode {
+	case repo_model.ActionsTokenPermissionModeRestricted:
+		return repo_model.MakeRestrictedPermissions()
+	case repo_model.ActionsTokenPermissionModePermissive:
+		return repo_model.MakeActionsTokenPermissions(perm.AccessModeWrite)
+	default:
+		return repo_model.MakeActionsTokenPermissions(perm.AccessModeNone)
+	}
+}
+
+// GetMaxTokenPermissions returns the maximum allowed permissions
+func (cfg *OwnerActionsConfig) GetMaxTokenPermissions() repo_model.ActionsTokenPermissions {
+	if cfg.MaxTokenPermissions != nil {
+		return *cfg.MaxTokenPermissions
+	}
+	// Default max is write for everything
+	return repo_model.MakeActionsTokenPermissions(perm.AccessModeWrite)
+}
+
+// ClampPermissions ensures that the given permissions don't exceed the maximum
+func (cfg *OwnerActionsConfig) ClampPermissions(perms repo_model.ActionsTokenPermissions) repo_model.ActionsTokenPermissions {
+	maxPerms := cfg.GetMaxTokenPermissions()
+	return repo_model.ClampActionsTokenPermissions(perms, maxPerms)
+}
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@@ -51,6 +51,11 @@ type ActionRunJob struct {
 	ConcurrencyGroup  string `xorm:"index(repo_concurrency) NOT NULL DEFAULT ''"` // evaluated concurrency.group
 	ConcurrencyCancel bool   `xorm:"NOT NULL DEFAULT FALSE"`                      // evaluated concurrency.cancel-in-progress

+	// TokenPermissions stores the explicit permissions from workflow/job YAML (no org/repo clamps applied).
+	// Org/repo clamps are enforced when the token is used at runtime.
+	// It is JSON-encoded repo_model.ActionsTokenPermissions and may be empty if not specified.
+	TokenPermissions *repo_model.ActionsTokenPermissions `xorm:"JSON TEXT"`
+
 	Started timeutil.TimeStamp
 	Stopped timeutil.TimeStamp
 	Created timeutil.TimeStamp `xorm:"created"`
--- a/models/actions/token_permissions.go
+++ b/models/actions/token_permissions.go
@@ -0,0 +1,60 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
+)
+
+// ComputeTaskTokenPermissions computes the effective permissions for a job token against the target repository.
+// It uses the job's stored permissions (if any), then applies org/repo clamps and fork/cross-repo restrictions.
+// Note: target repository access policy checks are enforced in GetActionsUserRepoPermission; this function only computes the job token's effective permission ceiling.
+func ComputeTaskTokenPermissions(ctx context.Context, task *ActionTask, targetRepo *repo_model.Repository) (ret repo_model.ActionsTokenPermissions, err error) {
+	if err := task.LoadJob(ctx); err != nil {
+		return ret, err
+	}
+	if err := task.Job.LoadRepo(ctx); err != nil {
+		return ret, err
+	}
+	runRepo := task.Job.Repo
+
+	if err := runRepo.LoadOwner(ctx); err != nil {
+		return ret, err
+	}
+
+	repoActionsCfg := runRepo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+	ownerActionsCfg, err := GetOwnerActionsConfig(ctx, runRepo.OwnerID)
+	if err != nil {
+		return ret, err
+	}
+
+	var jobDeclaredPerms repo_model.ActionsTokenPermissions
+	if task.Job.TokenPermissions != nil {
+		jobDeclaredPerms = *task.Job.TokenPermissions
+	} else if repoActionsCfg.OverrideOwnerConfig {
+		jobDeclaredPerms = repoActionsCfg.GetDefaultTokenPermissions()
+	} else {
+		jobDeclaredPerms = ownerActionsCfg.GetDefaultTokenPermissions()
+	}
+
+	var effectivePerms repo_model.ActionsTokenPermissions
+	if repoActionsCfg.OverrideOwnerConfig {
+		effectivePerms = repoActionsCfg.ClampPermissions(jobDeclaredPerms)
+	} else {
+		effectivePerms = ownerActionsCfg.ClampPermissions(jobDeclaredPerms)
+	}
+
+	// Cross-repository access and fork pull requests are strictly read-only for security.
+	// This ensures a "task repo" cannot gain write access to other repositories via CrossRepoAccess settings.
+	isSameRepo := task.Job.RepoID == targetRepo.ID
+	restrictCrossRepoAccess := task.IsForkPullRequest || !isSameRepo
+	if restrictCrossRepoAccess {
+		effectivePerms = repo_model.ClampActionsTokenPermissions(effectivePerms, repo_model.MakeRestrictedPermissions())
+	}
+
+	return effectivePerms, nil
+}
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -402,6 +402,7 @@ func prepareMigrationTasks() []*migration {
 		newMigration(325, "Fix missed repo_id when migrate attachments", v1_26.FixMissedRepoIDWhenMigrateAttachments),
 		newMigration(326, "Migrate commit status target URL to use run ID and job ID", v1_26.FixCommitStatusTargetURLToUseRunAndJobID),
 		newMigration(327, "Add disabled state to action runners", v1_26.AddDisabledToActionRunner),
+		newMigration(328, "Add TokenPermissions column to ActionRunJob", v1_26.AddTokenPermissionsToActionRunJob),
 	}
 	return preparedMigrations
 }
--- a/models/migrations/v1_26/v328.go
+++ b/models/migrations/v1_26/v328.go
@@ -0,0 +1,16 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_26
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddTokenPermissionsToActionRunJob(x *xorm.Engine) error {
+	type ActionRunJob struct {
+		TokenPermissions string `xorm:"JSON TEXT"`
+	}
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(ActionRunJob))
+	return err
+}
--- a/models/perm/access/actions_repo_permission_test.go
+++ b/models/perm/access/actions_repo_permission_test.go
@@ -0,0 +1,155 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package access
+
+import (
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/models/db"
+	perm_model "code.gitea.io/gitea/models/perm"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetActionsUserRepoPermission(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	ctx := t.Context()
+
+	// Use fixtures for repos and users
+	repo4 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})   // Public, Owner 5, has Actions unit
+	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})   // Private, Owner 2, no Actions unit in fixtures
+	repo15 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 15}) // Private, Owner 2, no Actions unit in fixtures
+	owner2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	actionsUser := user_model.NewActionsUser()
+
+	// Ensure repo2 and repo15 have Actions units for testing configuration
+	for _, r := range []*repo_model.Repository{repo2, repo15} {
+		require.NoError(t, db.Insert(ctx, &repo_model.RepoUnit{
+			RepoID: r.ID,
+			Type:   unit.TypeActions,
+			Config: &repo_model.ActionsConfig{},
+		}))
+	}
+
+	t.Run("SameRepo_Public", func(t *testing.T) {
+		task47 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 47})
+		require.Equal(t, repo4.ID, task47.RepoID)
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo4, actionsUser, task47.ID)
+		require.NoError(t, err)
+
+		// Public repo, bot should have Read access even if not collaborator
+		assert.Equal(t, perm_model.AccessModeNone, perm.AccessMode)
+		assert.True(t, perm.CanRead(unit.TypeCode))
+	})
+
+	t.Run("SameRepo_Private", func(t *testing.T) {
+		// Use Task 53 which is already in Repo 2 (Private)
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+		require.Equal(t, repo2.ID, task53.RepoID)
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo2, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Private repo, bot has no base access, but gets Write from effective tokens perms (Permissive by default)
+		assert.Equal(t, perm_model.AccessModeNone, perm.AccessMode)
+		assert.True(t, perm.CanWrite(unit.TypeCode))
+	})
+
+	t.Run("CrossRepo_Denied_None", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+
+		// Set owner policy to nil allowed repos (None)
+		cfg := actions_model.OwnerActionsConfig{}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, cfg))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo15, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Should NOT have access to the private repo.
+		assert.False(t, perm.CanRead(unit.TypeCode))
+	})
+
+	t.Run("ForkPR_NoCrossRepo", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+		task53.IsForkPullRequest = true
+		require.NoError(t, actions_model.UpdateTask(ctx, task53, "is_fork_pull_request"))
+
+		// Policy contains repo15
+		cfg := actions_model.OwnerActionsConfig{
+			AllowedCrossRepoIDs: []int64{repo15.ID},
+		}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, cfg))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo15, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Fork PR never gets cross-repo access to other private repos
+		assert.False(t, perm.CanRead(unit.TypeCode))
+	})
+
+	t.Run("Inheritance_And_Clamping", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+		task53.IsForkPullRequest = false
+		require.NoError(t, actions_model.UpdateTask(ctx, task53, "is_fork_pull_request"))
+
+		// Owner policy: Restricted mode (Read-only Code)
+		ownerCfg := actions_model.OwnerActionsConfig{
+			TokenPermissionMode: repo_model.ActionsTokenPermissionModeRestricted,
+			MaxTokenPermissions: &repo_model.ActionsTokenPermissions{
+				UnitAccessModes: map[unit.Type]perm_model.AccessMode{
+					unit.TypeCode: perm_model.AccessModeRead,
+				},
+			},
+		}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, ownerCfg))
+
+		// Repo policy: OverrideOwnerConfig = false (should inherit owner's restricted mode)
+		repo2ActionsUnit := repo2.MustGetUnit(ctx, unit.TypeActions)
+		repo2ActionsCfg := repo2ActionsUnit.ActionsConfig()
+		repo2ActionsCfg.OverrideOwnerConfig = false
+		require.NoError(t, repo_model.UpdateRepoUnitConfig(ctx, repo2ActionsUnit))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo2, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Should be clamped to Read-only
+		assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeCode))
+		assert.False(t, perm.CanWrite(unit.TypeCode))
+	})
+
+	t.Run("RepoOverride_Clamping", func(t *testing.T) {
+		task53 := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 53})
+
+		// Owner policy: Permissive (Write access)
+		ownerCfg := actions_model.OwnerActionsConfig{
+			TokenPermissionMode: repo_model.ActionsTokenPermissionModePermissive,
+		}
+		require.NoError(t, actions_model.SetOwnerActionsConfig(ctx, owner2.ID, ownerCfg))
+
+		// Repo policy: OverrideOwnerConfig = true, MaxTokenPermissions = Read
+		repo2ActionsUnit := repo2.MustGetUnit(ctx, unit.TypeActions)
+		repo2ActionsCfg := repo2ActionsUnit.ActionsConfig()
+		repo2ActionsCfg.OverrideOwnerConfig = true
+		repo2ActionsCfg.TokenPermissionMode = repo_model.ActionsTokenPermissionModeRestricted
+		repo2ActionsCfg.MaxTokenPermissions = &repo_model.ActionsTokenPermissions{
+			UnitAccessModes: map[unit.Type]perm_model.AccessMode{
+				unit.TypeCode: perm_model.AccessModeRead,
+			},
+		}
+		require.NoError(t, repo_model.UpdateRepoUnitConfig(ctx, repo2ActionsUnit))
+
+		perm, err := GetActionsUserRepoPermission(ctx, repo2, actionsUser, task53.ID)
+		require.NoError(t, err)
+
+		// Should be clamped to Read-only
+		assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeCode))
+	})
+}
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"slices"
 	"strings"

@@ -258,6 +259,23 @@ func finalProcessRepoUnitPermission(user *user_model.User, perm *Permission) {
 	}
 }

+func checkSameOwnerCrossRepoAccess(ctx context.Context, taskRepo, targetRepo *repo_model.Repository, isForkPR bool) bool {
+	if isForkPR {
+		// Fork PRs are never allowed cross-repo access to other private repositories of the owner.
+		return false
+	}
+	if taskRepo.OwnerID != targetRepo.OwnerID {
+		return false
+	}
+	ownerCfg, err := actions_model.GetOwnerActionsConfig(ctx, targetRepo.OwnerID)
+	if err != nil {
+		log.Error("GetOwnerActionsConfig: %v", err)
+		return false
+	}
+
+	return slices.Contains(ownerCfg.AllowedCrossRepoIDs, targetRepo.ID)
+}
+
 // GetActionsUserRepoPermission returns the actions user permissions to the repository
 func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Repository, actionsUser *user_model.User, taskID int64) (perm Permission, err error) {
 	if actionsUser.ID != user_model.ActionsUserID {
@@ -268,37 +286,96 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
 		return perm, err
 	}

-	var accessMode perm_model.AccessMode
+	if err := task.LoadJob(ctx); err != nil {
+		return perm, err
+	}
+
+	var taskRepo *repo_model.Repository
 	if task.RepoID != repo.ID {
-		taskRepo, exist, err := db.GetByID[repo_model.Repository](ctx, task.RepoID)
-		if err != nil || !exist {
+		if err := task.Job.LoadRepo(ctx); err != nil {
 			return perm, err
 		}
-		actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
-		if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate {
-			// The task repo can access the current repo only if the task repo is private and
-			// the owner of the task repo is a collaborative owner of the current repo.
-			// FIXME should owner's visibility also be considered here?
+		taskRepo = task.Job.Repo
+	} else {
+		taskRepo = repo
+	}

-			// check permission like simple user but limit to read-only
-			perm, err = GetUserRepoPermission(ctx, repo, user_model.NewActionsUser())
+	// Compute effective permissions for this task against the target repo
+	effectivePerms, err := actions_model.ComputeTaskTokenPermissions(ctx, task, repo)
+	if err != nil {
+		return perm, err
+	}
+	if task.RepoID != repo.ID {
+		// Cross-repo access must also respect the target repo's permission ceiling.
+		targetRepoActionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+		if targetRepoActionsCfg.OverrideOwnerConfig {
+			effectivePerms = targetRepoActionsCfg.ClampPermissions(effectivePerms)
+		} else {
+			targetRepoOwnerActionsCfg, err := actions_model.GetOwnerActionsConfig(ctx, repo.OwnerID)
 			if err != nil {
 				return perm, err
 			}
-			perm.AccessMode = min(perm.AccessMode, perm_model.AccessModeRead)
-			return perm, nil
+			effectivePerms = targetRepoOwnerActionsCfg.ClampPermissions(effectivePerms)
 		}
-		accessMode = perm_model.AccessModeRead
-	} else if task.IsForkPullRequest {
-		accessMode = perm_model.AccessModeRead
-	} else {
-		accessMode = perm_model.AccessModeWrite
 	}

 	if err := repo.LoadUnits(ctx); err != nil {
 		return perm, err
 	}
-	perm.SetUnitsWithDefaultAccessMode(repo.Units, accessMode)
+
+	var maxPerm Permission
+
+	// Set up per-unit access modes based on configured permissions
+	maxPerm.units = repo.Units
+	maxPerm.unitsMode = maps.Clone(effectivePerms.UnitAccessModes)
+
+	// Check permission like simple user but limit to read-only (PR #36095)
+	// Enhanced to also grant read-only access if isSameRepo is true and target repository is public
+	botPerm, err := GetUserRepoPermission(ctx, repo, user_model.NewActionsUser())
+	if err != nil {
+		return perm, err
+	}
+	if botPerm.AccessMode >= perm_model.AccessModeRead {
+		// Public repo allows read access, increase permissions to at least read
+		// Otherwise you cannot access your own repository if your permissions are set to none but the repository is public
+		for _, u := range repo.Units {
+			if botPerm.CanRead(u.Type) {
+				maxPerm.unitsMode[u.Type] = max(maxPerm.unitsMode[u.Type], perm_model.AccessModeRead)
+			}
+		}
+	}
+
+	if task.RepoID == repo.ID {
+		return maxPerm, nil
+	}
+
+	if checkSameOwnerCrossRepoAccess(ctx, taskRepo, repo, task.IsForkPullRequest) {
+		// Access allowed by owner policy (grants access to private repos).
+		// Note: maxPerm has already been restricted to Read-Only in ComputeTaskTokenPermissions
+		// because isSameRepo is false.
+		return maxPerm, nil
+	}
+
+	// Fall through to allow public repository read access via botPerm check below
+
+	// Check if the repo is public or the Bot has explicit access
+	if botPerm.AccessMode >= perm_model.AccessModeRead {
+		return maxPerm, nil
+	}
+
+	// Check Collaborative Owner and explicit Bot permissions
+	// We allow access if:
+	// 1. It's a collaborative owner relationship
+	// 2. The Actions Bot user has been explicitly granted access and repository is private
+	// 3. The repository is public (handled by botPerm above)
+
+	if taskRepo.IsPrivate {
+		actionsUnit := repo.MustGetUnit(ctx, unit.TypeActions)
+		if actionsUnit.ActionsConfig().IsCollaborativeOwner(taskRepo.OwnerID) {
+			return maxPerm, nil
+		}
+	}
+
 	return perm, nil
 }

--- a/models/repo/pull_request_default_test.go
+++ b/models/repo/pull_request_default_test.go
@@ -26,7 +26,7 @@ func TestDefaultTargetBranchSelection(t *testing.T) {
 	prConfig := prUnit.PullRequestsConfig()
 	prConfig.DefaultTargetBranch = "branch2"
 	prUnit.Config = prConfig
-	assert.NoError(t, UpdateRepoUnit(ctx, prUnit))
+	assert.NoError(t, UpdateRepoUnitConfig(ctx, prUnit))
 	repo.Units = nil
 	assert.Equal(t, "branch2", repo.GetPullRequestTargetBranch(ctx))
 }
--- a/models/repo/repo_list.go
+++ b/models/repo/repo_list.go
@@ -778,3 +778,11 @@ func GetUserRepositories(ctx context.Context, opts SearchRepoOptions) (Repositor
 	repos := make(RepositoryList, 0, opts.PageSize)
 	return repos, count, db.SetSessionPagination(sess, &opts).Find(&repos)
 }
+
+func GetOwnerRepositoriesByIDs(ctx context.Context, ownerID int64, repoIDs []int64) (RepositoryList, error) {
+	if len(repoIDs) == 0 {
+		return RepositoryList{}, nil
+	}
+	repos := make(RepositoryList, 0, len(repoIDs))
+	return repos, db.GetEngine(ctx).Where(builder.Eq{"owner_id": ownerID}).In("id", repoIDs).Find(&repos)
+}
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -5,8 +5,6 @@ package repo

 import (
 	"context"
-	"slices"
-	"strings"

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/perm"
@@ -175,57 +173,6 @@ func DefaultPullRequestsUnit(repoID int64) RepoUnit {
 	return RepoUnit{RepoID: repoID, Type: unit.TypePullRequests, Config: DefaultPullRequestsConfig()}
 }

-type ActionsConfig struct {
-	DisabledWorkflows []string
-	// CollaborativeOwnerIDs is a list of owner IDs used to share actions from private repos.
-	// Only workflows from the private repos whose owners are in CollaborativeOwnerIDs can access the current repo's actions.
-	CollaborativeOwnerIDs []int64
-}
-
-func (cfg *ActionsConfig) EnableWorkflow(file string) {
-	cfg.DisabledWorkflows = util.SliceRemoveAll(cfg.DisabledWorkflows, file)
-}
-
-func (cfg *ActionsConfig) ToString() string {
-	return strings.Join(cfg.DisabledWorkflows, ",")
-}
-
-func (cfg *ActionsConfig) IsWorkflowDisabled(file string) bool {
-	return slices.Contains(cfg.DisabledWorkflows, file)
-}
-
-func (cfg *ActionsConfig) DisableWorkflow(file string) {
-	if slices.Contains(cfg.DisabledWorkflows, file) {
-		return
-	}
-
-	cfg.DisabledWorkflows = append(cfg.DisabledWorkflows, file)
-}
-
-func (cfg *ActionsConfig) AddCollaborativeOwner(ownerID int64) {
-	if !slices.Contains(cfg.CollaborativeOwnerIDs, ownerID) {
-		cfg.CollaborativeOwnerIDs = append(cfg.CollaborativeOwnerIDs, ownerID)
-	}
-}
-
-func (cfg *ActionsConfig) RemoveCollaborativeOwner(ownerID int64) {
-	cfg.CollaborativeOwnerIDs = util.SliceRemoveAll(cfg.CollaborativeOwnerIDs, ownerID)
-}
-
-func (cfg *ActionsConfig) IsCollaborativeOwner(ownerID int64) bool {
-	return slices.Contains(cfg.CollaborativeOwnerIDs, ownerID)
-}
-
-// FromDB fills up a ActionsConfig from serialized format.
-func (cfg *ActionsConfig) FromDB(bs []byte) error {
-	return json.UnmarshalHandleDoubleEncode(bs, &cfg)
-}
-
-// ToDB exports a ActionsConfig to a serialized format.
-func (cfg *ActionsConfig) ToDB() ([]byte, error) {
-	return json.Marshal(cfg)
-}
-
 // ProjectsMode represents the projects enabled for a repository
 type ProjectsMode string

@@ -279,7 +226,8 @@ func (cfg *ProjectsConfig) IsProjectsAllowed(m ProjectsMode) bool {
 func (r *RepoUnit) BeforeSet(colName string, val xorm.Cell) {
 	switch colName {
 	case "type":
-		switch unit.Type(db.Cell2Int64(val)) {
+		r.Type = unit.Type(db.Cell2Int64(val))
+		switch r.Type {
 		case unit.TypeExternalWiki:
 			r.Config = new(ExternalWikiConfig)
 		case unit.TypeExternalTracker:
@@ -297,6 +245,11 @@ func (r *RepoUnit) BeforeSet(colName string, val xorm.Cell) {
 		default:
 			r.Config = new(UnitConfig)
 		}
+	case "config":
+		if *val == nil {
+			// XROM doesn't call FromDB if the value is nil, but we need to set default values for the config fields
+			_ = r.Config.FromDB(nil)
+		}
 	}
 }

@@ -360,9 +313,9 @@ func getUnitsByRepoID(ctx context.Context, repoID int64) (units []*RepoUnit, err
 	return units, nil
 }

-// UpdateRepoUnit updates the provided repo unit
-func UpdateRepoUnit(ctx context.Context, unit *RepoUnit) error {
-	_, err := db.GetEngine(ctx).ID(unit.ID).Update(unit)
+// UpdateRepoUnitConfig updates the config of the provided repo unit
+func UpdateRepoUnitConfig(ctx context.Context, unit *RepoUnit) error {
+	_, err := db.GetEngine(ctx).ID(unit.ID).Cols("config").Update(unit)
 	return err
 }

--- a/models/repo/repo_unit_actions.go
+++ b/models/repo/repo_unit_actions.go
@@ -0,0 +1,153 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package repo
+
+import (
+	"slices"
+
+	"code.gitea.io/gitea/models/perm"
+	"code.gitea.io/gitea/models/unit"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
+)
+
+// ActionsTokenPermissionMode defines the default permission mode for Actions tokens
+type ActionsTokenPermissionMode string
+
+const (
+	// ActionsTokenPermissionModePermissive - write access by default (current behavior, backwards compatible)
+	ActionsTokenPermissionModePermissive ActionsTokenPermissionMode = "permissive"
+	// ActionsTokenPermissionModeRestricted - read access by default
+	ActionsTokenPermissionModeRestricted ActionsTokenPermissionMode = "restricted"
+)
+
+func (ActionsTokenPermissionMode) EnumValues() []ActionsTokenPermissionMode {
+	return []ActionsTokenPermissionMode{ActionsTokenPermissionModePermissive /* default */, ActionsTokenPermissionModeRestricted}
+}
+
+// ActionsTokenPermissions defines the permissions for different repository units
+type ActionsTokenPermissions struct {
+	UnitAccessModes map[unit.Type]perm.AccessMode `json:"unit_access_modes,omitempty"`
+}
+
+var ActionsTokenUnitTypes = []unit.Type{
+	unit.TypeCode,
+	unit.TypeIssues,
+	unit.TypePullRequests,
+	unit.TypePackages,
+	unit.TypeActions,
+	unit.TypeWiki,
+	unit.TypeReleases,
+	unit.TypeProjects,
+}
+
+func MakeActionsTokenPermissions(unitAccessMode perm.AccessMode) (ret ActionsTokenPermissions) {
+	ret.UnitAccessModes = make(map[unit.Type]perm.AccessMode)
+	for _, u := range ActionsTokenUnitTypes {
+		ret.UnitAccessModes[u] = unitAccessMode
+	}
+	return ret
+}
+
+// ClampActionsTokenPermissions ensures that the given permissions don't exceed the maximum
+func ClampActionsTokenPermissions(p1, p2 ActionsTokenPermissions) (ret ActionsTokenPermissions) {
+	ret.UnitAccessModes = make(map[unit.Type]perm.AccessMode)
+	for _, ut := range ActionsTokenUnitTypes {
+		ret.UnitAccessModes[ut] = min(p1.UnitAccessModes[ut], p2.UnitAccessModes[ut])
+	}
+	return ret
+}
+
+// MakeRestrictedPermissions returns the restricted permissions
+func MakeRestrictedPermissions() ActionsTokenPermissions {
+	ret := MakeActionsTokenPermissions(perm.AccessModeNone)
+	ret.UnitAccessModes[unit.TypeCode] = perm.AccessModeRead
+	ret.UnitAccessModes[unit.TypePackages] = perm.AccessModeRead
+	ret.UnitAccessModes[unit.TypeReleases] = perm.AccessModeRead
+	return ret
+}
+
+type ActionsConfig struct {
+	DisabledWorkflows []string
+	// CollaborativeOwnerIDs is a list of owner IDs used to share actions from private repos.
+	// Only workflows from the private repos whose owners are in CollaborativeOwnerIDs can access the current repo's actions.
+	CollaborativeOwnerIDs []int64
+	// TokenPermissionMode defines the default permission mode (permissive, restricted, or custom)
+	TokenPermissionMode ActionsTokenPermissionMode `json:"token_permission_mode,omitempty"`
+	// MaxTokenPermissions defines the absolute maximum permissions any token can have in this context.
+	// Workflow YAML "permissions" keywords can reduce permissions but never exceed this ceiling.
+	MaxTokenPermissions *ActionsTokenPermissions `json:"max_token_permissions,omitempty"`
+	// OverrideOwnerConfig indicates if this repository should override the owner-level configuration (User or Org)
+	OverrideOwnerConfig bool `json:"override_owner_config,omitempty"`
+}
+
+func (cfg *ActionsConfig) EnableWorkflow(file string) {
+	cfg.DisabledWorkflows = util.SliceRemoveAll(cfg.DisabledWorkflows, file)
+}
+
+func (cfg *ActionsConfig) IsWorkflowDisabled(file string) bool {
+	return slices.Contains(cfg.DisabledWorkflows, file)
+}
+
+func (cfg *ActionsConfig) DisableWorkflow(file string) {
+	if slices.Contains(cfg.DisabledWorkflows, file) {
+		return
+	}
+
+	cfg.DisabledWorkflows = append(cfg.DisabledWorkflows, file)
+}
+
+func (cfg *ActionsConfig) AddCollaborativeOwner(ownerID int64) {
+	if !slices.Contains(cfg.CollaborativeOwnerIDs, ownerID) {
+		cfg.CollaborativeOwnerIDs = append(cfg.CollaborativeOwnerIDs, ownerID)
+	}
+}
+
+func (cfg *ActionsConfig) RemoveCollaborativeOwner(ownerID int64) {
+	cfg.CollaborativeOwnerIDs = util.SliceRemoveAll(cfg.CollaborativeOwnerIDs, ownerID)
+}
+
+func (cfg *ActionsConfig) IsCollaborativeOwner(ownerID int64) bool {
+	return slices.Contains(cfg.CollaborativeOwnerIDs, ownerID)
+}
+
+// GetDefaultTokenPermissions returns the default token permissions by its TokenPermissionMode.
+// It does not apply MaxTokenPermissions; callers must clamp if needed.
+func (cfg *ActionsConfig) GetDefaultTokenPermissions() ActionsTokenPermissions {
+	switch cfg.TokenPermissionMode {
+	case ActionsTokenPermissionModeRestricted:
+		return MakeRestrictedPermissions()
+	case ActionsTokenPermissionModePermissive:
+		return MakeActionsTokenPermissions(perm.AccessModeWrite)
+	default:
+		return ActionsTokenPermissions{}
+	}
+}
+
+// GetMaxTokenPermissions returns the maximum allowed permissions
+func (cfg *ActionsConfig) GetMaxTokenPermissions() ActionsTokenPermissions {
+	if cfg.MaxTokenPermissions != nil {
+		return *cfg.MaxTokenPermissions
+	}
+	// Default max is write for everything
+	return MakeActionsTokenPermissions(perm.AccessModeWrite)
+}
+
+// ClampPermissions ensures that the given permissions don't exceed the maximum
+func (cfg *ActionsConfig) ClampPermissions(perms ActionsTokenPermissions) ActionsTokenPermissions {
+	maxPerms := cfg.GetMaxTokenPermissions()
+	return ClampActionsTokenPermissions(perms, maxPerms)
+}
+
+// FromDB fills up a ActionsConfig from serialized format.
+func (cfg *ActionsConfig) FromDB(bs []byte) error {
+	_ = json.UnmarshalHandleDoubleEncode(bs, &cfg)
+	cfg.TokenPermissionMode, _ = util.EnumValue(cfg.TokenPermissionMode)
+	return nil
+}
+
+// ToDB exports a ActionsConfig to a serialized format.
+func (cfg *ActionsConfig) ToDB() ([]byte, error) {
+	return json.Marshal(cfg)
+}
--- a/models/repo/repo_unit_test.go
+++ b/models/repo/repo_unit_test.go
@@ -4,8 +4,12 @@
 package repo

 import (
+	"strings"
 	"testing"

+	"code.gitea.io/gitea/models/perm"
+	"code.gitea.io/gitea/models/unit"
+
 	"github.com/stretchr/testify/assert"
 )

@@ -26,5 +30,75 @@ func TestActionsConfig(t *testing.T) {
 	cfg.DisableWorkflow("test1.yaml")
 	cfg.DisableWorkflow("test2.yaml")
 	cfg.DisableWorkflow("test3.yaml")
-	assert.Equal(t, "test1.yaml,test2.yaml,test3.yaml", cfg.ToString())
+	assert.Equal(t, "test1.yaml,test2.yaml,test3.yaml", strings.Join(cfg.DisabledWorkflows, ","))
+}
+
+func TestActionsConfigTokenPermissions(t *testing.T) {
+	t.Run("Default Permission Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{TokenPermissionMode: "invalid-value"}
+		_ = cfg.FromDB(nil)
+		assert.Equal(t, ActionsTokenPermissionModePermissive, cfg.TokenPermissionMode)
+		assert.Equal(t, perm.AccessModeWrite, cfg.GetDefaultTokenPermissions().UnitAccessModes[unit.TypeCode])
+	})
+
+	t.Run("Explicit Permission Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModeRestricted,
+		}
+		assert.Equal(t, ActionsTokenPermissionModeRestricted, cfg.TokenPermissionMode)
+	})
+
+	t.Run("Effective Permissions - Permissive Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModePermissive,
+		}
+		defaultPerms := cfg.GetDefaultTokenPermissions()
+		perms := cfg.ClampPermissions(defaultPerms)
+		assert.Equal(t, perm.AccessModeWrite, perms.UnitAccessModes[unit.TypeCode])
+		assert.Equal(t, perm.AccessModeWrite, perms.UnitAccessModes[unit.TypeIssues])
+		assert.Equal(t, perm.AccessModeWrite, perms.UnitAccessModes[unit.TypePackages])
+	})
+
+	t.Run("Effective Permissions - Restricted Mode", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			TokenPermissionMode: ActionsTokenPermissionModeRestricted,
+		}
+		defaultPerms := cfg.GetDefaultTokenPermissions()
+		perms := cfg.ClampPermissions(defaultPerms)
+		assert.Equal(t, perm.AccessModeRead, perms.UnitAccessModes[unit.TypeCode])
+		assert.Equal(t, perm.AccessModeNone, perms.UnitAccessModes[unit.TypeIssues])
+		assert.Equal(t, perm.AccessModeRead, perms.UnitAccessModes[unit.TypePackages])
+	})
+
+	t.Run("Clamp Permissions", func(t *testing.T) {
+		cfg := &ActionsConfig{
+			MaxTokenPermissions: &ActionsTokenPermissions{
+				UnitAccessModes: map[unit.Type]perm.AccessMode{
+					unit.TypeCode:         perm.AccessModeRead,
+					unit.TypeIssues:       perm.AccessModeWrite,
+					unit.TypePullRequests: perm.AccessModeRead,
+					unit.TypePackages:     perm.AccessModeRead,
+					unit.TypeActions:      perm.AccessModeNone,
+					unit.TypeWiki:         perm.AccessModeWrite,
+				},
+			},
+		}
+		input := ActionsTokenPermissions{
+			UnitAccessModes: map[unit.Type]perm.AccessMode{
+				unit.TypeCode:         perm.AccessModeWrite, // Should be clamped to Read
+				unit.TypeIssues:       perm.AccessModeWrite, // Should stay Write
+				unit.TypePullRequests: perm.AccessModeWrite, // Should be clamped to Read
+				unit.TypePackages:     perm.AccessModeWrite, // Should be clamped to Read
+				unit.TypeActions:      perm.AccessModeRead,  // Should be clamped to None
+				unit.TypeWiki:         perm.AccessModeRead,  // Should stay Read
+			},
+		}
+		clamped := cfg.ClampPermissions(input)
+		assert.Equal(t, perm.AccessModeRead, clamped.UnitAccessModes[unit.TypeCode])
+		assert.Equal(t, perm.AccessModeWrite, clamped.UnitAccessModes[unit.TypeIssues])
+		assert.Equal(t, perm.AccessModeRead, clamped.UnitAccessModes[unit.TypePullRequests])
+		assert.Equal(t, perm.AccessModeRead, clamped.UnitAccessModes[unit.TypePackages])
+		assert.Equal(t, perm.AccessModeNone, clamped.UnitAccessModes[unit.TypeActions])
+		assert.Equal(t, perm.AccessModeRead, clamped.UnitAccessModes[unit.TypeWiki])
+	})
 }
--- a/models/user/setting.go
+++ b/models/user/setting.go
@@ -11,10 +11,12 @@ import (

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/cache"
+	"code.gitea.io/gitea/modules/json"
 	setting_module "code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"

 	"xorm.io/builder"
+	"xorm.io/xorm/convert"
 )

 // Setting is a key value store of user settings
@@ -211,3 +213,44 @@ func upsertUserSettingValue(ctx context.Context, userID int64, key, value string
 		return err
 	})
 }
+
+func GetUserSettingJSON[T any](ctx context.Context, userID int64, key string, def T) (ret T, _ error) {
+	ret = def
+	str, err := GetUserSetting(ctx, userID, key)
+	if err != nil {
+		return ret, err
+	}
+
+	conv, ok := any(&ret).(convert.ConversionFrom)
+	if !ok {
+		conv, ok = any(ret).(convert.ConversionFrom)
+	}
+	if ok {
+		if err := conv.FromDB(util.UnsafeStringToBytes(str)); err != nil {
+			return ret, err
+		}
+	} else {
+		if str == "" {
+			return ret, nil
+		}
+		err = json.Unmarshal(util.UnsafeStringToBytes(str), &ret)
+	}
+	return ret, err
+}
+
+func SetUserSettingJSON[T any](ctx context.Context, userID int64, key string, val T) (err error) {
+	conv, ok := any(&val).(convert.ConversionTo)
+	if !ok {
+		conv, ok = any(val).(convert.ConversionTo)
+	}
+	var bs []byte
+	if ok {
+		bs, err = conv.ToDB()
+	} else {
+		bs, err = json.Marshal(val)
+	}
+	if err != nil {
+		return err
+	}
+	return SetUserSetting(ctx, userID, key, util.UnsafeBytesToString(bs))
+}
--- a/models/user/setting_options.go
+++ b/models/user/setting_options.go
@@ -22,4 +22,6 @@ const (
 	SettingEmailNotificationGiteaActionsAll         = "all"
 	SettingEmailNotificationGiteaActionsFailureOnly = "failure-only" // Default for actions email preference
 	SettingEmailNotificationGiteaActionsDisabled    = "disabled"
+
+	SettingsKeyActionsConfig = "actions.config"
 )