From 4f5a2117c37f1bf89d1686f407dff600a8783a97 Mon Sep 17 00:00:00 2001
From: js6pak <me@6pak.dev>
Date: Wed, 30 Aug 2023 00:13:16 +0200
Subject: [PATCH] Include the GITHUB_TOKEN/GITEA_TOKEN secret for fork pull
 requests (#26759)

Include `GITHUB_TOKEN`/`GITEA_TOKEN` secrets for actions triggered by
pull requests

This makes it consistent with the environment variables which you can
already access

```shell
echo env: $GITHUB_TOKEN
echo expression: ${{ secrets.GITHUB_TOKEN }}
```
before

![image](https://github.com/go-gitea/gitea/assets/35262707/b6f750f6-3995-40f0-b8aa-df01e7997c37)
after

![image](https://github.com/go-gitea/gitea/assets/35262707/ab74464b-7638-458a-afd5-f39e6101d2cf)

---------

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: Giteabot <teabot@gitea.io>
---
 routers/api/actions/runner/utils.go | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go
index e95df7a00f..b8c7ca842a 100644
--- a/routers/api/actions/runner/utils.go
+++ b/routers/api/actions/runner/utils.go
@@ -55,8 +55,12 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 
 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
 	secrets := map[string]string{}
+
+	secrets["GITHUB_TOKEN"] = task.Token
+	secrets["GITEA_TOKEN"] = task.Token
+
 	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
-		// ignore secrets for fork pull request
+		// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
 		// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
 		// see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 		return secrets
@@ -82,13 +86,6 @@ func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s
 		}
 	}
 
-	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
-		secrets["GITHUB_TOKEN"] = task.Token
-	}
-	if _, ok := secrets["GITEA_TOKEN"]; !ok {
-		secrets["GITEA_TOKEN"] = task.Token
-	}
-
 	return secrets
 }