From ec0e0399d8d53c7ebefe24ff96834b277790d86a Mon Sep 17 00:00:00 2001 From: limiting-factor Date: Sat, 30 May 2026 02:55:17 +0200 Subject: [PATCH] fix: show the actions trust management panel when runs from trusted users are pending approval (#12812) When the status of a user makes it implicitly trusted to run actions (for instance when it becomes a member of the Owners team of an organization), the runs that were blocked before they became trusted will need to be approved or denied. The trust management panel was not displayed if the poster of the pull request was trusted. It is now displayed regardless of the current trust status of the user. Closes forgejo/forgejo#12811 --- ## Alternative implementation An alternative implementation would be to approve all pending runs whenever the trust status of a user changes. That would require that change to happen when the user joins a team with permissions to run actions, becomes an admin, a collaborator to a repository with write access or when a repository ownership is transferred to an organization where the user already has such rights. Such an implementation would save the effort of manually taking care of the runs pending approval for the now trusted user. But it would also be fragile to maintain because it would need a complete inventory of all the ways a user can become trusted. Or some kind of notification triggered whenever such an event happens, which is not currently in place. Since this is a rare case and the manual operation is simple, I think the easiest fix consisting of showing the trust panel regardless of the trust status of the user is acceptable. ## Lingering rows in `ActionUser` If a newly trusted user is explicitly always trusted **after** being implicitly trusted, a row is created in `ActionUser`. But the `Revoke` button will never show, because the user is now implicitly trusted. This leaves a lingering row in the `ActionUser` table. Such a row will be [removed](https://codeberg.org/forgejo/forgejo/pulls/9397/commits/e41bcf5048efaa36d19f21d67e37377e0f77c422) eventually and not clutter the table. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. *The decision if the pull request will be shown in the release notes is up to the mergers / release team.* The content of the `release-notes/.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead. ## Release notes - User Interface bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/12812): fix: show the actions trust management panel when runs from trusted users are pending approval Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12812 Reviewed-by: Robert Wolff Reviewed-by: Mathieu Fenniak --- templates/repo/pulls/trust.tmpl | 2 +- tests/integration/actions_trust_test.go | 44 ++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/templates/repo/pulls/trust.tmpl b/templates/repo/pulls/trust.tmpl index 68e5b692ee..334c3bba2c 100644 --- a/templates/repo/pulls/trust.tmpl +++ b/templates/repo/pulls/trust.tmpl @@ -23,7 +23,7 @@ Template Attributes: - {{else if and .PullRequestPosterIsNotTrustedWithActions .SomePullRequestRunsNeedApproval}} + {{else if .SomePullRequestRunsNeedApproval}}
diff --git a/tests/integration/actions_trust_test.go b/tests/integration/actions_trust_test.go index 3c334e0d8c..2cd239f96c 100644 --- a/tests/integration/actions_trust_test.go +++ b/tests/integration/actions_trust_test.go @@ -254,6 +254,14 @@ func actionsTrustTestCreatePullRequestFromForkedRepo(t *testing.T, baseUser *use return forkedRepo, pullRequest, addFileToForkedResp } +func actionsTrustSetCollaborator(t *testing.T, token string, repo *repo_model.Repository, user *user_model.User, permission string) { + t.Helper() + + repoAPILink := repo.APIURL() + req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("%s/collaborators/%s", repoAPILink, user.Name), map[string]string{"permission": permission}).AddTokenAuth(token) + MakeRequest(t, req, http.StatusNoContent) +} + // Mark the PR as a work-in-progress PR func actionsTrustTestSetPullRequestWIP(t *testing.T, pullRequest *issues_model.PullRequest, wip bool) { t.Helper() @@ -284,7 +292,41 @@ func actionsTrustTestModifyTitlePullRequest(t *testing.T, token string, pullRequ assert.Equal(t, actions_model.StatusBlocked, actionRunJob.Status) } -func TestActionsPullRequestTrustPanel(t *testing.T) { +func TestActionsPullRequestTrustPanelImplicit(t *testing.T) { + onApplicationRun(t, func(t *testing.T, u *url.URL) { + ownerUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) // owner of the repo + ownerSession := loginUser(t, ownerUser.Name) + ownerToken := getTokenForLoggedInUser(t, ownerSession, auth_model.AccessTokenScopeAll) + + regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) // a regular user with no specific permission + regularSession := loginUser(t, regularUser.Name) + + baseRepo, f := actionsTrustTestCreateBaseRepo(t, ownerUser) + defer f() + + _, pullRequest, _ := actionsTrustTestCreatePullRequestFromForkedRepo(t, ownerUser, baseRepo, regularUser) + pullRequestLink := pullRequest.Issue.Link() + + t.Run("All users see a pending approval on a newly created pull request from a fork", func(t *testing.T) { + actionsTrustTestAssertTrustPanel(t, regularSession, pullRequestLink) + actionsTrustTestAssertTrustPanel(t, ownerSession, pullRequestLink) + }) + + t.Run("The regular user becomes implicitly trusted and the pending approval are still displayed because they were created when the user was not trusted", func(t *testing.T) { + actionsTrustSetCollaborator(t, ownerToken, baseRepo, regularUser, "admin") + actionsTrustTestAssertTrustPanel(t, regularSession, pullRequestLink) + actionsTrustTestAssertTrustPanel(t, ownerSession, pullRequestLink) + }) + + t.Run("The newly implicitly trusted user can approve its own runs", func(t *testing.T) { + actionsTrustTestClickTrustPanel(t, regularSession, pullRequestLink, string(actions_service.UserTrustedOnce)) + actionsTrustTestAssertNoTrustPanel(t, regularSession, pullRequestLink) + actionsTrustTestAssertNoTrustPanel(t, ownerSession, pullRequestLink) + }) + }) +} + +func TestActionsPullRequestTrustPanelExplicit(t *testing.T) { onApplicationRun(t, func(t *testing.T, u *url.URL) { ownerUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) // owner of the repo