search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.77k stars 5.47k forks source link

Gitea actions permissions problem with pull requests #32302

Open Olen opened 6 days ago

Olen commented 6 days ago

Description

There seems to be a problem with the action permissions for pull-requests

I have an action with the following permissions:

    permissions:
      contents: write
      pull-requests: write

And I can see that tea is allowed to run most required commands.

tea whoami                                                                                                            

   gitea-actions                                                                                                                                                            

  Follower Count: 0, Following Count: 0, Starred Repos: 0

I can view pull-requests and I can comment/review on pull requests

tea pr list                                                                                                           
+-------+--------------------------------+-------+--------------+-----------+------------------+--------+                                                                   
| INDEX |             TITLE              | STATE |    AUTHOR    | MILESTONE |     UPDATED      | LABELS |
+-------+--------------------------------+-------+--------------+-----------+------------------+--------+
|     4 | chore(template): merge         | open  | Ola Thoresen |           | 2024-10-21 13:05 |        |                                                                   
|       | template changes :up:          |       |              |           |                  |        |                                                                   
+-------+--------------------------------+-------+--------------+-----------+------------------+--------+            
tea pr review 4
(...)
? Concluding comment: 
Must check
https://xxxxx/olen/test-template-sync/pulls/4#issuecomment-15

image

But I am not allowed to create pull requests:

tea pr create
(...)
Error: could not create PR from chore/template_sync_56c0689 to olen:main: Can't read pulls or can't read UnitTypeCode

If I add another login in the run with a different token, I am allowed to create a PR.

tea pr create --login foo

   #5 Chore/Template Sync 56c0689 (open)                                                                              

  @olen created 2024-10-21 13:10        main <- chore/template_sync_56c0689

I added some trace logging which shows that this is a permission problem:

2024/10/21 15:01:03 ...s/repo_permission.go:199:func1() [T] Permission Loaded for user <User -2:gitea-actions> in repo <Repository 11:olen/test-template-sync>, permissions: {AccessMode:0 units:[0xc006c1f780 0xc006c1f7c0 0xc006c1f840 0xc006c1f880 0xc006c1f8c0 0xc006c1f900 0xc006c1f940 0xc006c1f980] unitsMode:map[] everyoneAccessMode:map[]}
2024/10/21 15:01:03 .../api/v1/repo/pull.go:1132:parseCompareInfo() [T] Permission Denied: User <User -2:gitea-actions> cannot create/read pull requests or cannot read code in Repo <Repository 11:olen/test-template-sync>
User in baseRepo has Permissions: {AccessMode:0 units:[0xc006c1f780 0xc006c1f7c0 0xc006c1f840 0xc006c1f880 0xc006c1f8c0 0xc006c1f900 0xc006c1f940 0xc006c1f980] unitsMode:map[] everyoneAccessMode:map[]}
2024/10/21 15:01:03 ...s/process/manager.go:231:remove() [T] Done 6716508f-8: /usr/bin/git cat-file --batch-check [repo_path: /data/git/repositories/olen/test-template-sync.git] (modules/git/repo_base_nogogit.go:90)
2024/10/21 15:01:03 ...eb/routing/logger.go:102:func1() [I] router: completed POST /api/v1/repos/olen/test-template-sync/pulls for 10.42.42.34:37748, 404 Not Found in 35.8ms @ repo/pull.go:344(repo.CreatePullRequest)
2024/10/21 15:01:03 ...s/process/manager.go:231:remove() [T] Done 6716508f-6: POST: /api/v1/repos/olen/test-template-sync/pulls

Gitea Version

1.22.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

git version 2.45.2

Operating System

docker

How are you running Gitea?

docker image: gitea/gitea:latest

Database

MySQL/MariaDB

lunny commented 5 days ago

Permissions hasn't been implemented.

Olen commented 4 days ago

Thanks for the clarification. I tried to look through some code to figure out how the action runner token was generated, and which permissions is actually gets, but my go-fu is not at a high enough level.

However, since it seems to be allowed to update PRs, it is a bit strange that it can't create a PR, since - as far as I ca see - there are only two choices. issues.read and issues.write, and pr review to me sounds like a "write" (but I might be wrong).

Would t be possible to allow the action runner token to get permission to create PRs?

gbaian10 commented 3 days ago

The same question, does this mean we cannot use CI on Gitea to create a PR?

Olen commented 3 days ago

You can specify a username and token for the action to use in the tea login add-stage. But it would be more convenient if the action running user already have permission to do it.