diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 502e403e06..d0030033d9 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -221,7 +221,8 @@ func httpBase(ctx *context.Context) *serviceHandler {
 			}
 
 			// Block clone/pull for limited visibility repos if user is not a collaborator
-			if repo.IsLimited && isPull && !isWiki {
+			// Skip this check for action tokens — their access was already validated above
+			if repo.IsLimited && isPull && !isWiki && ctx.Data["IsActionsToken"] != true {
 				allowed := ctx.Doer.IsAdmin || ctx.Doer.ID == repo.OwnerID
 				if !allowed {
 					if isCollab, _ := repo_model.IsCollaborator(ctx, repo.ID, ctx.Doer.ID); isCollab {