From e89647bfab1b58f8013650747d2f4c3c451481fd Mon Sep 17 00:00:00 2001
From: logikonline <dave@marketally.com>
Date: Mon, 2 Feb 2026 09:25:13 -0500
Subject: [PATCH] feat(secrets): show org secrets in repo settings as read-only

Displays organization-level secrets in repository settings as read-only when the repo belongs to an organization. Helps users understand which secrets are inherited from the org scope without allowing modification. Adds separate section with org icon and read-only badge.
---
 options/locale/locale_en-US.json       |  2 ++
 routers/web/shared/secrets/secrets.go  | 17 ++++++++++---
 templates/shared/secrets/add_list.tmpl | 35 ++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/options/locale/locale_en-US.json b/options/locale/locale_en-US.json
index f7e00873bc..0f51a4d2ff 100644
--- a/options/locale/locale_en-US.json
+++ b/options/locale/locale_en-US.json
@@ -3862,6 +3862,8 @@
   "secrets.global_secrets": "Global Secrets",
   "secrets.global_secrets.description": "These secrets are configured by system administrators and are available to all workflows. They cannot be modified here.",
   "secrets.read_only": "Read-only",
+  "secrets.org_secrets": "Organization Secrets",
+  "secrets.org_secrets.description": "These secrets are configured at the organization level and are available to all repositories in this organization. They cannot be modified here.",
   "actions.actions": "Actions",
   "actions.unit.desc": "Manage actions",
   "actions.status.unknown": "Unknown",
diff --git a/routers/web/shared/secrets/secrets.go b/routers/web/shared/secrets/secrets.go
index e3693278f7..9d1d8af84d 100644
--- a/routers/web/shared/secrets/secrets.go
+++ b/routers/web/shared/secrets/secrets.go
@@ -37,10 +37,21 @@ func SetSecretsContextWithGlobal(ctx *context.Context, ownerID, repoID int64, gl
 		globalSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{Global: true})
 		if err != nil {
 			log.Error("FindGlobalSecrets failed: %v", err)
-			// Don't fail the request, just don't show global secrets
-			return
+		} else {
+			ctx.Data["GlobalSecrets"] = globalSecrets
+		}
+
+		// For repo contexts with an org owner, also fetch org secrets to show as read-only
+		if orgOwnerID, ok := ctx.Data["RepoOwnerID"].(int64); ok && orgOwnerID > 0 {
+			if isOrg, _ := ctx.Data["RepoOwnerIsOrg"].(bool); isOrg {
+				orgSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{OwnerID: orgOwnerID})
+				if err != nil {
+					log.Error("FindOrgSecrets failed: %v", err)
+				} else {
+					ctx.Data["OrgSecrets"] = orgSecrets
+				}
+			}
 		}
-		ctx.Data["GlobalSecrets"] = globalSecrets
 	}
 }
 
diff --git a/templates/shared/secrets/add_list.tmpl b/templates/shared/secrets/add_list.tmpl
index b3faa424b0..87466001e8 100644
--- a/templates/shared/secrets/add_list.tmpl
+++ b/templates/shared/secrets/add_list.tmpl
@@ -33,6 +33,41 @@
 </div>
 {{end}}
 
+{{if .OrgSecrets}}
+<h4 class="ui top attached header">
+	{{ctx.Locale.Tr "secrets.org_secrets"}}
+	<span class="ui basic label tw-ml-2">{{ctx.Locale.Tr "secrets.read_only"}}</span>
+</h4>
+<div class="ui attached segment">
+	<p class="tw-text-sm tw-text-gray-500 tw-mb-4">{{ctx.Locale.Tr "secrets.org_secrets.description"}}</p>
+	<div class="flex-list">
+		{{range .OrgSecrets}}
+		<div class="flex-item tw-items-center">
+			<div class="flex-item-leading">
+				{{svg "octicon-organization" 32}}
+			</div>
+			<div class="flex-item-main">
+				<div class="flex-item-title">
+					{{.Name}}
+				</div>
+				<div class="flex-item-body">
+					{{if .Description}}{{.Description}}{{else}}-{{end}}
+				</div>
+				<div class="flex-item-body">
+					******
+				</div>
+			</div>
+			<div class="flex-item-trailing">
+				<span class="color-text-light-2">
+					{{ctx.Locale.Tr "settings.added_on" (DateUtils.AbsoluteShort .CreatedUnix)}}
+				</span>
+			</div>
+		</div>
+		{{end}}
+	</div>
+</div>
+{{end}}
+
 <h4 class="ui top attached header">
 	{{ctx.Locale.Tr "secrets.management"}}
 	<div class="ui right">