From 8745968b83fa9ef5e1a30e9f3dce6bb1d2d50d35 Mon Sep 17 00:00:00 2001
From: logikonline <dave@marketally.com>
Date: Tue, 27 Jan 2026 08:45:45 -0500
Subject: [PATCH] fix(githttp): skip limited repo check for action tokens

Action tokens have their access already validated earlier in the flow, so they should bypass the limited visibility repository check for clone/pull operations.
---
 routers/web/repo/githttp.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 502e403e06..d0030033d9 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -221,7 +221,8 @@ func httpBase(ctx *context.Context) *serviceHandler {
 			}
 
 			// Block clone/pull for limited visibility repos if user is not a collaborator
-			if repo.IsLimited && isPull && !isWiki {
+			// Skip this check for action tokens — their access was already validated above
+			if repo.IsLimited && isPull && !isWiki && ctx.Data["IsActionsToken"] != true {
 				allowed := ctx.Doer.IsAdmin || ctx.Doer.ID == repo.OwnerID
 				if !allowed {
 					if isCollab, _ := repo_model.IsCollaborator(ctx, repo.ID, ctx.Doer.ID); isCollab {