Also consider actions user when evaluating push privileges on protected branch

Naxdy · Naxdy · commit 301a9caa4c05 · 2025-07-15T15:00:29.000+02:00
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -2490,12 +2490,12 @@ settings.protect_enable_merge = Enable Merge
 settings.protect_enable_merge_desc = Anyone with write access will be allowed to merge the pull requests into this branch.
 settings.protect_whitelist_committers = Allowlist Restricted Push
 settings.protect_whitelist_committers_desc = Only allowlisted users or teams will be allowed to push to this branch (but not force push).
-settings.protect_whitelist_deploy_keys = Allowlist deploy keys with write access to push.
+settings.protect_whitelist_deploy_keys = Allowlist actions & deploy keys with write access to push.
 settings.protect_whitelist_users = Allowlisted users for pushing:
 settings.protect_whitelist_teams = Allowlisted teams for pushing:
 settings.protect_force_push_allowlist_users = Allowlisted users for force pushing:
 settings.protect_force_push_allowlist_teams = Allowlisted teams for force pushing:
-settings.protect_force_push_allowlist_deploy_keys = Allowlist deploy keys with push access to force push.
+settings.protect_force_push_allowlist_deploy_keys = Allowlist actions & deploy keys with push access to force push.
 settings.protect_merge_whitelist_committers = Enable Merge Allowlist
 settings.protect_merge_whitelist_committers_desc = Allow only allowlisted users or teams to merge pull requests into this branch.
 settings.protect_merge_whitelist_users = Allowlisted users for merging:
diff --git a/routers/private/hook_pre_receive.go b/routers/private/hook_pre_receive.go
@@ -253,7 +253,7 @@ func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, r
 
 	// 5. Check if the doer is allowed to push (and force-push if the incoming push is a force-push)
 	var canPush bool
-	if ctx.opts.DeployKeyID != 0 {
+	if ctx.opts.DeployKeyID != 0 || ctx.user.ID == user_model.ActionsUserID {
 		// This flag is only ever true if protectBranch.CanForcePush is true
 		if isForcePush {
 			canPush = !changedProtectedfiles && protectBranch.CanPush && (!protectBranch.EnableForcePushAllowlist || protectBranch.ForcePushAllowlistDeployKeys)
