gitforge/templates
Catherine 0c418d2c0e feat: add /api/v1/actions/run endpoint (#12727)
This endpoint returns the Actions run metadata for the automatic token, making it possible for external services to authenticate a specific workflow run and understand its security context (e.g. whether it is a pull request run and if yes what pull request it is).

The concrete motivating case for this feature is safe pull request preview rendering. Currently, even Forgejo itself ([forgejo/docs](https://codeberg.org/forgejo/docs/src/branch/next/.forgejo/workflows/pr.yml), [forgejo/website](https://codeberg.org/forgejo/website/src/branch/main/.forgejo/workflows/pr.yml)) uses carefully managed `pull_request_target` workflows for this task. The `pull_request_target` workflow type coupled with intentionally cloning the merge head is widely recognized as insecure, including by Forgejo developers. However, right now there is no particularly good replacement for this approach: Forgejo doesn't expose enough metadata to grant an Actions run permissions to update a part of a website, and only that part (by whichever mechanism this would happen).

I am one of the developers of [git-pages](https://codeberg.org/git-pages/git-pages), which is used as the new Codeberg Pages backend. I would like to implement native support for pull request previews that does not rely on carefully written but still fragile workflows that try to hide authorization tokens from untrusted code, but rather recognizes "pull request Actions run" as a unique kind of security context, and allow it to publish to a special "preview zone", segregated by the repository name and PR number. To do this I need to be able to authorize a specific workflow run. Right now there's no reasonable way to do this, but with the new endpoint it becomes trivial: actions/git-pages passes the automatic token to git-pages, git-pages asks Forgejo for metadata then forms an authorized site URL (e.g. `http://<reponame>-<username>-pr-<number>.preview.codeberg.page` though this is not the final format) to which this PR workflow may upload a site.

The API endpoint implemented in this PR has been discussed in the Matrix room and I understood that this change would be uncontroversial, hence I'm sending this PR right away instead of opening a feature request first. It doesn't introduce new response types, only returns an `ActionRun` for the authorization token. The namespaced URL `/api/v1/actions/run` was chosen because there are a number of things one could conceivably want to retrieve (e.g. `/api/v1/actions/job`); this specific endpoint seems by far the most useful though.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [x] I did not document these changes and I do not expect someone else to do it.
  The new API endpint is surfaced in Swagger, which seems sufficient.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12727
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: crystal <crystal@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-26 16:03:21 +02:00
..
admin chore(i18n): May 2026 maintenence (#12718) 2026-05-25 10:59:49 +02:00
api/packages/pypi
base fix: adds missing AppSubUrl to the webmanifest's location (#12702) 2026-05-23 16:33:32 +02:00
custom feat(ui): provide ability to add a warning message to the registration/login screens (#12597) 2026-05-21 06:04:41 +02:00
demo chore: dialog modal max-width rendering failure (#12469) 2026-05-08 08:01:34 +02:00
explore fix(ui): use octicon-repo-forked in repo list (#10227) 2025-11-26 11:21:20 +01:00
htmx fix(ui): Make 'Clear milestone' work with HTMX (#8266) 2025-08-11 20:10:10 +02:00
mail i18n(mailer): Fix special usage of .Locale in admin_new_user (#12009) 2026-04-14 07:20:16 +02:00
moderation feat: replace cross origin protection (#9830) 2025-10-29 22:43:22 +01:00
org fix(ui): fix and simplify org invite template view (#12580) 2026-05-19 21:17:08 +02:00
package feat: migrate show-modal to native dialogs (#10287) 2026-05-03 06:42:14 +02:00
projects feat: migrate show-modal to native dialogs (#10287) 2026-05-03 06:42:14 +02:00
repo fix: display the actions trust management panel on merged and closed pull requests (#12704) 2026-05-23 18:21:21 +02:00
shared fix: emoji's should not render in inline code blocks in issue lists (#12644) 2026-05-22 13:20:42 +02:00
status fix(ui): remove extra helpers from statuspages (#9753) 2025-10-20 12:03:58 +02:00
swagger feat: add /api/v1/actions/run endpoint (#12727) 2026-05-26 16:03:21 +02:00
user feat: add "Forgejo Actions (Local)" authorized integration UI (#12672) 2026-05-23 16:26:28 +02:00
webhook chore: rename SafeHTML to TrustHTML (#11481) 2026-03-08 02:41:37 +01:00
home.tmpl Split Forgejo landing page template to allow patching or removing Forgejo introduction section (#6675) 2025-02-03 08:41:52 +00:00
home_forgejo.tmpl
install.tmpl Added alt's to <img> 2025-01-31 21:22:00 +00:00
post-install.tmpl