From 897fffe2ba69775ce636a63e74d306ba7564aede Mon Sep 17 00:00:00 2001
From: js6pak <me@6pak.dev>
Date: Mon, 28 Aug 2023 00:11:16 +0200
Subject: [PATCH 1/2] Include the GITHUB_TOKEN/GITEA_TOKEN secret for fork pull
 requests

---
 routers/api/actions/runner/utils.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go
index e95df7a00fa80..74cc070f30454 100644
--- a/routers/api/actions/runner/utils.go
+++ b/routers/api/actions/runner/utils.go
@@ -55,6 +55,14 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 
 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
 	secrets := map[string]string{}
+
+	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
+		secrets["GITHUB_TOKEN"] = task.Token
+	}
+	if _, ok := secrets["GITEA_TOKEN"]; !ok {
+		secrets["GITEA_TOKEN"] = task.Token
+	}
+
 	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
 		// ignore secrets for fork pull request
 		// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
@@ -82,13 +90,6 @@ func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s
 		}
 	}
 
-	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
-		secrets["GITHUB_TOKEN"] = task.Token
-	}
-	if _, ok := secrets["GITEA_TOKEN"]; !ok {
-		secrets["GITEA_TOKEN"] = task.Token
-	}
-
 	return secrets
 }
 

From 0a13adf089aa7c8a0320110cd75f5d7ed260d25b Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Tue, 29 Aug 2023 10:14:04 +0800
Subject: [PATCH 2/2] Apply suggestions from code review

---
 routers/api/actions/runner/utils.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go
index 74cc070f30454..b8c7ca842a552 100644
--- a/routers/api/actions/runner/utils.go
+++ b/routers/api/actions/runner/utils.go
@@ -56,15 +56,11 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
 	secrets := map[string]string{}
 
-	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
-		secrets["GITHUB_TOKEN"] = task.Token
-	}
-	if _, ok := secrets["GITEA_TOKEN"]; !ok {
-		secrets["GITEA_TOKEN"] = task.Token
-	}
+	secrets["GITHUB_TOKEN"] = task.Token
+	secrets["GITEA_TOKEN"] = task.Token
 
 	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
-		// ignore secrets for fork pull request
+		// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
 		// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
 		// see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 		return secrets