mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-13 04:58:46 +00:00
When the status of a user makes it implicitly trusted to run actions (for instance when it becomes a member of the Owners team of an organization), the runs that were blocked before they became trusted will need to be approved or denied.
The trust management panel was not displayed if the poster of the pull request was trusted. It is now displayed regardless of the current trust status of the user.
Closes forgejo/forgejo#12811
---
## Alternative implementation
An alternative implementation would be to approve all pending runs whenever the trust status of a user changes. That would require that change to happen when the user joins a team with permissions to run actions, becomes an admin, a collaborator to a repository with write access or when a repository ownership is transferred to an organization where the user already has such rights.
Such an implementation would save the effort of manually taking care of the runs pending approval for the now trusted user. But it would also be fragile to maintain because it would need a complete inventory of all the ways a user can become trusted. Or some kind of notification triggered whenever such an event happens, which is not currently in place.
Since this is a rare case and the manual operation is simple, I think the easiest fix consisting of showing the trust panel regardless of the trust status of the user is acceptable.
## Lingering rows in `ActionUser`
If a newly trusted user is explicitly always trusted **after** being implicitly trusted, a row is created in `ActionUser`. But the `Revoke` button will never show, because the user is now implicitly trusted. This leaves a lingering row in the `ActionUser` table. Such a row will be [removed](!9397 (commit e41bcf5048)) eventually and not clutter the table.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests for Go changes
(can be removed for JavaScript changes)
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
- [x] `make pr-go` before pushing
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*
The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12812): <!--number 12812 --><!--line 0 --><!--description Zml4OiBzaG93IHRoZSBhY3Rpb25zIHRydXN0IG1hbmFnZW1lbnQgcGFuZWwgd2hlbiBydW5zIGZyb20gdHJ1c3RlZCB1c2VycyBhcmUgcGVuZGluZyBhcHByb3ZhbA==-->fix: show the actions trust management panel when runs from trusted users are pending approval<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12812
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
53 lines
3.2 KiB
Go HTML Template
53 lines
3.2 KiB
Go HTML Template
{{/*
|
|
Template Attributes:
|
|
* CanReadUnitActions: true if the actions unit is active and readable
|
|
* SomePullRequestRunsNeedApproval: true if there is at least one run waiting for approval
|
|
* UserCanDelegateTrustWithPullRequest: true if the user can delegate trust in the context of pull requests
|
|
* PullRequestPosterIsNotTrustedWithActions: true if the poster of the pull request needs to be approved to run actions
|
|
* PullRequestPosterIsExplicitlyTrustedWithActions: true if the poster of the pull request is trusted to run actions (once or always)
|
|
* PullRequestPosterIsImplicitlyTrustedWithActions: true if the poster of the pull request is trusted to run actions because of elevated permissions
|
|
* Link: URL to the pull request
|
|
*/}}
|
|
|
|
{{if .CanReadUnitActions}}
|
|
{{if and .UserCanDelegateTrustWithPullRequest .PullRequestPosterIsExplicitlyTrustedWithActions}}
|
|
<div class="pull-request-trust-panel" id="pull-request-trust-panel">
|
|
<div class="divider"></div>
|
|
<div class="item item-section">
|
|
<div data-tooltip-content="{{ctx.Locale.Tr "repo.pulls.poster_is_trusted.tooltip"}}">
|
|
{{ctx.Locale.Tr "repo.pulls.poster_is_trusted" "https://forgejo.org/docs/latest/user/actions/security-pull-request/"}}
|
|
</div>
|
|
<form id="pull-request-trust-panel-revoke" method="post" action="{{.Link}}/action-user-trust">
|
|
<input type="hidden" name="trust" value="revoke">
|
|
<button class="primary button" data-tooltip-content="{{ctx.Locale.Tr "repo.pulls.poster_trust_revoke.tooltip"}}">{{ctx.Locale.Tr "repo.pulls.poster_trust_revoke"}}</button>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
{{else if .SomePullRequestRunsNeedApproval}}
|
|
<div class="pull-request-trust-panel" id="pull-request-trust-panel">
|
|
<div class="divider"></div>
|
|
<div class="item item-section">
|
|
<div data-tooltip-content="{{ctx.Locale.Tr "repo.pulls.poster_requires_approval.tooltip"}}">
|
|
{{svg "octicon-alert" 16 "text red"}}
|
|
{{ctx.Locale.Tr "repo.pulls.poster_requires_approval" "https://forgejo.org/docs/latest/user/actions/security-pull-request/"}}
|
|
</div>
|
|
{{if .UserCanDelegateTrustWithPullRequest}}
|
|
<div class="button-sequence">
|
|
<form id="pull-request-trust-panel-deny" method="post" action="{{.Link}}/action-user-trust">
|
|
<input type="hidden" name="trust" value="deny">
|
|
<button class="primary button" data-tooltip-content="{{ctx.Locale.Tr "repo.pulls.poster_trust_deny.tooltip"}}">{{ctx.Locale.Tr "repo.pulls.poster_trust_deny"}}</button>
|
|
</form>
|
|
<form id="pull-request-trust-panel-once" method="post" action="{{.Link}}/action-user-trust">
|
|
<input type="hidden" name="trust" value="once">
|
|
<button class="primary button" data-tooltip-content="{{ctx.Locale.Tr "repo.pulls.poster_trust_once.tooltip"}}">{{ctx.Locale.Tr "repo.pulls.poster_trust_once"}}</button>
|
|
</form>
|
|
<form id="pull-request-trust-panel-always" method="post" action="{{.Link}}/action-user-trust">
|
|
<input type="hidden" name="trust" value="always">
|
|
<button class="primary button" data-tooltip-content="{{ctx.Locale.Tr "repo.pulls.poster_trust_always.tooltip"}}">{{ctx.Locale.Tr "repo.pulls.poster_trust_always"}}</button>
|
|
</form>
|
|
</div>
|
|
{{end}}
|
|
</div>
|
|
</div>
|
|
{{end}}
|
|
{{end}}
|