[v7.0/forgejo] fix(sec): Forgejo Actions web routes (#6845)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6845 Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2025-02-22 11:25:47 -05:00 · 2025-02-08 09:15:43 +00:00 · 2025-02-08 09:15:43 +00:00 · 1ddb0f55a0
commit 1ddb0f55a0
parent d0e10205fc c8293d0e3c
16 changed files with 476 additions and 93 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -22,7 +22,6 @@ package "code.gitea.io/gitea/models/actions"
 	func (ScheduleList).GetRepoIDs
 	func (ScheduleList).LoadTriggerUser
 	func (ScheduleList).LoadRepos
-	func GetVariableByID

 package "code.gitea.io/gitea/models/asymkey"
 	func (ErrGPGKeyAccessDenied).Error
--- a/models/actions/runner.go
+++ b/models/actions/runner.go
@ -252,12 +252,8 @@ func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 }

 // DeleteRunner deletes a runner by given ID.
-func DeleteRunner(ctx context.Context, id int64) error {
-	if _, err := GetRunnerByID(ctx, id); err != nil {
-		return err
-	}
-
-	_, err := db.DeleteByID[ActionRunner](ctx, id)
+func DeleteRunner(ctx context.Context, r *ActionRunner) error {
+	_, err := db.DeleteByID[ActionRunner](ctx, r.ID)
 	return err
 }

--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@ -6,13 +6,11 @@ package actions
 import (
 	"context"
 	"errors"
-	"fmt"
 	"strings"

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
-	"code.gitea.io/gitea/modules/util"

 	"xorm.io/builder"
 )
@ -55,28 +53,24 @@ type FindVariablesOpts struct {
 	db.ListOptions
 	OwnerID int64
 	RepoID  int64
+	Name    string
 }

 func (opts FindVariablesOpts) ToConds() builder.Cond {
 	cond := builder.NewCond()
+	// Since we now support instance-level variables,
+	// there is no need to check for null values for `owner_id` and `repo_id`
 	cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+
+	if opts.Name != "" {
+		cond = cond.And(builder.Eq{"name": strings.ToUpper(opts.Name)})
+	}
 	return cond
 }

-func GetVariableByID(ctx context.Context, variableID int64) (*ActionVariable, error) {
-	var variable ActionVariable
-	has, err := db.GetEngine(ctx).Where("id=?", variableID).Get(&variable)
-	if err != nil {
-		return nil, err
-	} else if !has {
-		return nil, fmt.Errorf("variable with id %d: %w", variableID, util.ErrNotExist)
-	}
-	return &variable, nil
-}
-
 func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) {
-	count, err := db.GetEngine(ctx).ID(variable.ID).Cols("name", "data").
+	count, err := db.GetEngine(ctx).ID(variable.ID).Where("owner_id = ? AND repo_id = ?", variable.OwnerID, variable.RepoID).Cols("name", "data").
 		Update(&ActionVariable{
 			Name: variable.Name,
 			Data: variable.Data,
@ -84,6 +78,11 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error)
 	return count != 0, err
 }

+func DeleteVariable(ctx context.Context, variableID, ownerID, repoID int64) (bool, error) {
+	count, err := db.GetEngine(ctx).Table("action_variable").Where("id = ? AND owner_id = ? AND repo_id = ?", variableID, ownerID, repoID).Delete()
+	return count != 0, err
+}
+
 func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
 	variables := map[string]string{}

--- a/modules/util/util.go
+++ b/modules/util/util.go
@ -220,3 +220,12 @@ func Iif[T any](condition bool, trueVal, falseVal T) T {
 	}
 	return falseVal
 }
+
+func ReserveLineBreakForTextarea(input string) string {
+	// Since the content is from a form which is a textarea, the line endings are \r\n.
+	// It's a standard behavior of HTML.
+	// But we want to store them as \n like what GitHub does.
+	// And users are unlikely to really need to keep the \r.
+	// Other than this, we should respect the original content, even leading or trailing spaces.
+	return strings.ReplaceAll(input, "\r\n", "\n")
+}
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@ -236,3 +236,8 @@ func TestToPointer(t *testing.T) {
 	val123 := 123
 	assert.NotSame(t, &val123, ToPointer(val123))
 }
+
+func TestReserveLineBreakForTextarea(t *testing.T) {
+	assert.Equal(t, "test\ndata", ReserveLineBreakForTextarea("test\r\ndata"))
+	assert.Equal(t, "test\ndata\n", ReserveLineBreakForTextarea("test\r\ndata\r\n"))
+}
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -3743,6 +3743,7 @@ variables.deletion.description = Removing a variable is permanent and cannot be
 variables.description = Variables will be passed to certain actions and cannot be read otherwise.
 variables.id_not_exist = Variable with ID %d does not exist.
 variables.edit = Edit Variable
+variables.not_found = Failed to find the variable.
 variables.deletion.failed = Failed to remove variable.
 variables.deletion.success = The variable has been removed.
 variables.creation.failed = Failed to add variable.
--- a/routers/web/repo/setting/runners.go
+++ b/routers/web/repo/setting/runners.go
@ -179,7 +179,7 @@ func RunnerDeletePost(ctx *context.Context) {
 		ctx.ServerError("getRunnersCtx", err)
 		return
 	}
-	actions_shared.RunnerDeletePost(ctx, ctx.ParamsInt64(":runnerid"), rCtx.RedirectLink, rCtx.RedirectLink+url.PathEscape(ctx.Params(":runnerid")))
+	actions_shared.RunnerDeletePost(ctx, ctx.ParamsInt64(":runnerid"), rCtx.OwnerID, rCtx.RepoID, rCtx.RedirectLink, rCtx.RedirectLink+url.PathEscape(ctx.Params(":runnerid")))
 }

 func RedirectToDefaultSetting(ctx *context.Context) {
--- a/routers/web/repo/setting/variables.go
+++ b/routers/web/repo/setting/variables.go
@ -127,7 +127,7 @@ func VariableUpdate(ctx *context.Context) {
 		return
 	}

-	shared.UpdateVariable(ctx, vCtx.RedirectLink)
+	shared.UpdateVariable(ctx, vCtx.OwnerID, vCtx.RepoID, vCtx.RedirectLink)
 }

 func VariableDelete(ctx *context.Context) {
@ -136,5 +136,5 @@ func VariableDelete(ctx *context.Context) {
 		ctx.ServerError("getVariablesCtx", err)
 		return
 	}
-	shared.DeleteVariable(ctx, vCtx.RedirectLink)
+	shared.DeleteVariable(ctx, vCtx.OwnerID, vCtx.RepoID, vCtx.RedirectLink)
 }
--- a/routers/web/shared/actions/runners.go
+++ b/routers/web/shared/actions/runners.go
@ -143,10 +143,21 @@ func RunnerResetRegistrationToken(ctx *context.Context, ownerID, repoID int64, r
 }

 // RunnerDeletePost response for deleting a runner
-func RunnerDeletePost(ctx *context.Context, runnerID int64,
+func RunnerDeletePost(ctx *context.Context, runnerID, ownerID, repoID int64,
 	successRedirectTo, failedRedirectTo string,
 ) {
-	if err := actions_model.DeleteRunner(ctx, runnerID); err != nil {
+	runner, err := actions_model.GetRunnerByID(ctx, runnerID)
+	if err != nil {
+		ctx.ServerError("GetRunnerByID", err)
+		return
+	}
+
+	if !runner.Editable(ownerID, repoID) {
+		ctx.NotFound("Editable", util.NewPermissionDeniedErrorf("no permission to edit this runner"))
+		return
+	}
+
+	if err := actions_model.DeleteRunner(ctx, runner); err != nil {
 		log.Warn("DeleteRunnerPost.UpdateRunner failed: %v, url: %s", err, ctx.Req.URL)
 		ctx.Flash.Warning(ctx.Tr("actions.runners.delete_runner_failed"))

--- a/routers/web/shared/actions/variables.go
+++ b/routers/web/shared/actions/variables.go
@ -4,17 +4,13 @@
 package actions

 import (
-	"errors"
-	"regexp"
-	"strings"
-
 	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/web"
+	actions_service "code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/forms"
-	secret_service "code.gitea.io/gitea/services/secrets"
 )

 func SetVariablesContext(ctx *context.Context, ownerID, repoID int64) {
@ -29,90 +25,49 @@ func SetVariablesContext(ctx *context.Context, ownerID, repoID int64) {
 	ctx.Data["Variables"] = variables
 }

-// some regular expression of `variables` and `secrets`
-// reference to:
-// https://docs.github.com/en/actions/learn-github-actions/variables#naming-conventions-for-configuration-variables
-// https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
-var (
-	forbiddenEnvNameCIRx = regexp.MustCompile("(?i)^CI")
-)
-
-func envNameCIRegexMatch(name string) error {
-	if forbiddenEnvNameCIRx.MatchString(name) {
-		log.Error("Env Name cannot be ci")
-		return errors.New("env name cannot be ci")
-	}
-	return nil
-}
-
 func CreateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	form := web.GetForm(ctx).(*forms.EditVariableForm)

-	if err := secret_service.ValidateName(form.Name); err != nil {
-		ctx.JSONError(err.Error())
-		return
-	}
-
-	if err := envNameCIRegexMatch(form.Name); err != nil {
-		ctx.JSONError(err.Error())
-		return
-	}
-
-	v, err := actions_model.InsertVariable(ctx, ownerID, repoID, form.Name, ReserveLineBreakForTextarea(form.Data))
+	v, err := actions_service.CreateVariable(ctx, ownerID, repoID, form.Name, form.Data)
 	if err != nil {
-		log.Error("InsertVariable error: %v", err)
+		log.Error("CreateVariable: %v", err)
 		ctx.JSONError(ctx.Tr("actions.variables.creation.failed"))
 		return
 	}
+
 	ctx.Flash.Success(ctx.Tr("actions.variables.creation.success", v.Name))
 	ctx.JSONRedirect(redirectURL)
 }

-func UpdateVariable(ctx *context.Context, redirectURL string) {
+func UpdateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	id := ctx.ParamsInt64(":variable_id")
 	form := web.GetForm(ctx).(*forms.EditVariableForm)

-	if err := secret_service.ValidateName(form.Name); err != nil {
-		ctx.JSONError(err.Error())
-		return
-	}
-
-	if err := envNameCIRegexMatch(form.Name); err != nil {
-		ctx.JSONError(err.Error())
-		return
-	}
-
-	ok, err := actions_model.UpdateVariable(ctx, &actions_model.ActionVariable{
-		ID:   id,
-		Name: strings.ToUpper(form.Name),
-		Data: ReserveLineBreakForTextarea(form.Data),
-	})
-	if err != nil || !ok {
-		log.Error("UpdateVariable error: %v", err)
+	if ok, err := actions_service.UpdateVariable(ctx, id, ownerID, repoID, form.Name, form.Data); err != nil || !ok {
+		if !ok {
+			ctx.JSONError(ctx.Tr("actions.variables.not_found"))
+		} else {
+			log.Error("UpdateVariable: %v", err)
 			ctx.JSONError(ctx.Tr("actions.variables.update.failed"))
+		}
 		return
 	}
 	ctx.Flash.Success(ctx.Tr("actions.variables.update.success"))
 	ctx.JSONRedirect(redirectURL)
 }

-func DeleteVariable(ctx *context.Context, redirectURL string) {
+func DeleteVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	id := ctx.ParamsInt64(":variable_id")

-	if _, err := db.DeleteByBean(ctx, &actions_model.ActionVariable{ID: id}); err != nil {
+	if ok, err := actions_model.DeleteVariable(ctx, id, ownerID, repoID); err != nil || !ok {
+		if !ok {
+			ctx.JSONError(ctx.Tr("actions.variables.not_found"))
+		} else {
 			log.Error("Delete variable [%d] failed: %v", id, err)
 			ctx.JSONError(ctx.Tr("actions.variables.deletion.failed"))
+		}
 		return
 	}
 	ctx.Flash.Success(ctx.Tr("actions.variables.deletion.success"))
 	ctx.JSONRedirect(redirectURL)
 }
-
-func ReserveLineBreakForTextarea(input string) string {
-	// Since the content is from a form which is a textarea, the line endings are \r\n.
-	// It's a standard behavior of HTML.
-	// But we want to store them as \n like what GitHub does.
-	// And users are unlikely to really need to keep the \r.
-	// Other than this, we should respect the original content, even leading or trailing spaces.
-	return strings.ReplaceAll(input, "\r\n", "\n")
-}
--- a/routers/web/shared/secrets/secrets.go
+++ b/routers/web/shared/secrets/secrets.go
@ -7,8 +7,8 @@ import (
 	"code.gitea.io/gitea/models/db"
 	secret_model "code.gitea.io/gitea/models/secret"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
-	"code.gitea.io/gitea/routers/web/shared/actions"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/forms"
 	secret_service "code.gitea.io/gitea/services/secrets"
@ -27,7 +27,7 @@ func SetSecretsContext(ctx *context.Context, ownerID, repoID int64) {
 func PerformSecretsPost(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	form := web.GetForm(ctx).(*forms.AddSecretForm)

-	s, _, err := secret_service.CreateOrUpdateSecret(ctx, ownerID, repoID, form.Name, actions.ReserveLineBreakForTextarea(form.Data))
+	s, _, err := secret_service.CreateOrUpdateSecret(ctx, ownerID, repoID, form.Name, util.ReserveLineBreakForTextarea(form.Data))
 	if err != nil {
 		log.Error("CreateOrUpdateSecret failed: %v", err)
 		ctx.JSONError(ctx.Tr("secrets.creation.failed"))
--- a/services/actions/variables.go
+++ b/services/actions/variables.go
@ -0,0 +1,66 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+	"regexp"
+	"strings"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
+	secret_service "code.gitea.io/gitea/services/secrets"
+)
+
+func CreateVariable(ctx context.Context, ownerID, repoID int64, name, data string) (*actions_model.ActionVariable, error) {
+	if err := secret_service.ValidateName(name); err != nil {
+		return nil, err
+	}
+
+	if err := envNameCIRegexMatch(name); err != nil {
+		return nil, err
+	}
+
+	v, err := actions_model.InsertVariable(ctx, ownerID, repoID, name, util.ReserveLineBreakForTextarea(data))
+	if err != nil {
+		return nil, err
+	}
+
+	return v, nil
+}
+
+func UpdateVariable(ctx context.Context, variableID, ownerID, repoID int64, name, data string) (bool, error) {
+	if err := secret_service.ValidateName(name); err != nil {
+		return false, err
+	}
+
+	if err := envNameCIRegexMatch(name); err != nil {
+		return false, err
+	}
+
+	return actions_model.UpdateVariable(ctx, &actions_model.ActionVariable{
+		ID:      variableID,
+		Name:    strings.ToUpper(name),
+		Data:    util.ReserveLineBreakForTextarea(data),
+		OwnerID: ownerID,
+		RepoID:  repoID,
+	})
+}
+
+// some regular expression of `variables` and `secrets`
+// reference to:
+// https://docs.github.com/en/actions/learn-github-actions/variables#naming-conventions-for-configuration-variables
+// https://docs.github.com/en/actions/security-guides/encrypted-secrets#naming-your-secrets
+var (
+	forbiddenEnvNameCIRx = regexp.MustCompile("(?i)^CI")
+)
+
+func envNameCIRegexMatch(name string) error {
+	if forbiddenEnvNameCIRx.MatchString(name) {
+		log.Error("Env Name cannot be ci")
+		return util.NewInvalidArgumentErrorf("env name cannot be ci")
+	}
+	return nil
+}
--- a/tests/integration/actions_variables_test.go
+++ b/tests/integration/actions_variables_test.go
@ -0,0 +1,150 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	forgejo_context "code.gitea.io/gitea/services/context"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionVariablesModification(t *testing.T) {
+	defer tests.AddFixtures("tests/integration/fixtures/TestActionVariablesModification")()
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	userVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1001, OwnerID: user.ID})
+	userURL := "/user/settings/actions/variables"
+	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
+	orgVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1002, OwnerID: org.ID})
+	orgURL := "/org/" + org.Name + "/settings/actions/variables"
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user.ID})
+	repoVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1003, RepoID: repo.ID})
+	repoURL := "/" + repo.FullName() + "/settings/actions/variables"
+	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{IsAdmin: true})
+	globalVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1004}, "owner_id = 0 AND repo_id = 0")
+	adminURL := "/admin/actions/variables"
+
+	adminSess := loginUser(t, admin.Name)
+	adminCSRF := GetCSRF(t, adminSess, "/")
+	sess := loginUser(t, user.Name)
+	csrf := GetCSRF(t, sess, "/")
+
+	type errorJSON struct {
+		Error string `json:"errorMessage"`
+	}
+
+	test := func(t *testing.T, fail bool, baseURL string, id int64) {
+		defer tests.PrintCurrentTest(t, 1)()
+		t.Helper()
+
+		sess := sess
+		csrf := csrf
+		if baseURL == adminURL {
+			sess = adminSess
+			csrf = adminCSRF
+		}
+
+		req := NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/edit", id), map[string]string{
+			"_csrf": csrf,
+			"name":  "glados_quote",
+			"data":  "I'm fine. Two plus two is...ten, in base four, I'm fine!",
+		})
+		if fail {
+			resp := sess.MakeRequest(t, req, http.StatusBadRequest)
+			var error errorJSON
+			DecodeJSON(t, resp, &error)
+			assert.EqualValues(t, "Failed to find the variable.", error.Error)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DThe%2Bvariable%2Bhas%2Bbeen%2Bedited.", flashCookie.Value)
+		}
+
+		req = NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/delete", id), map[string]string{
+			"_csrf": csrf,
+		})
+		if fail {
+			resp := sess.MakeRequest(t, req, http.StatusBadRequest)
+			var error errorJSON
+			DecodeJSON(t, resp, &error)
+			assert.EqualValues(t, "Failed to find the variable.", error.Error)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DThe%2Bvariable%2Bhas%2Bbeen%2Bremoved.", flashCookie.Value)
+		}
+	}
+
+	t.Run("User variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, userVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, userVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, false, userURL, userVariable.ID)
+		})
+	})
+
+	t.Run("Organisation variable", func(t *testing.T) {
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, orgVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, orgVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, false, orgURL, orgVariable.ID)
+		})
+	})
+
+	t.Run("Repository variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, repoVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, repoVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, false, repoURL, repoVariable.ID)
+		})
+	})
+
+	t.Run("Global variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, globalVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, globalVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, globalVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, false, adminURL, globalVariable.ID)
+		})
+	})
+}
--- a/tests/integration/fixtures/TestActionVariablesModification/action_variable.yml
+++ b/tests/integration/fixtures/TestActionVariablesModification/action_variable.yml
@ -0,0 +1,31 @@
+-
+  id: 1001
+  name: GLADOS_QUOTE
+  owner_id: 2
+  repo_id: 0
+  data: ""
+  created_unix: 1737000000
+
+-
+  id: 1002
+  name: GLADOS_QUOTE
+  owner_id: 3
+  repo_id: 0
+  data: ""
+  created_unix: 1737000001
+
+-
+  id: 1003
+  name: GLADOS_QUOTE
+  owner_id: 0
+  repo_id: 1
+  data: ""
+  created_unix: 1737000002
+
+-
+  id: 1004
+  name: GLADOS_QUOTE
+  owner_id: 0
+  repo_id: 0
+  data: ""
+  created_unix: 1737000003
--- a/tests/integration/fixtures/TestRunnerModification/action_runner.yml
+++ b/tests/integration/fixtures/TestRunnerModification/action_runner.yml
@ -0,0 +1,31 @@
+-
+  id: 1001
+  uuid: "43b5d4d3-401b-42f9-94df-a9d45b447b82"
+  name: "User runner"
+  owner_id: 2
+  repo_id: 0
+  deleted: 0
+
+-
+  id: 1002
+  uuid: "bdc77f4f-2b2b-442d-bd44-e808f4306347"
+  name: "Organisation runner"
+  owner_id: 3
+  repo_id: 0
+  deleted: 0
+
+-
+  id: 1003
+  uuid: "9268bc8c-efbf-4dbe-aeb5-945733cdd098"
+  name: "Repository runner"
+  owner_id: 0
+  repo_id: 1
+  deleted: 0
+
+-
+  id: 1004
+  uuid: "fb857e63-c0ce-4571-a6c9-fde26c128073"
+  name: "Global runner"
+  owner_id: 0
+  repo_id: 0
+  deleted: 0
--- a/tests/integration/runner_test.go
+++ b/tests/integration/runner_test.go
@ -0,0 +1,130 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	forgejo_context "code.gitea.io/gitea/services/context"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRunnerModification(t *testing.T) {
+	defer tests.AddFixtures("tests/integration/fixtures/TestRunnerModification")()
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	userRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1001, OwnerID: user.ID})
+	userURL := "/user/settings/actions/runners"
+	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
+	orgRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1002, OwnerID: org.ID})
+	orgURL := "/org/" + org.Name + "/settings/actions/runners"
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user.ID})
+	repoRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1003, RepoID: repo.ID})
+	repoURL := "/" + repo.FullName() + "/settings/actions/runners"
+	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{IsAdmin: true})
+	globalRunner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 1004}, "owner_id = 0 AND repo_id = 0")
+	adminURL := "/admin/actions/runners"
+
+	adminSess := loginUser(t, admin.Name)
+	adminCSRF := GetCSRF(t, adminSess, "/")
+	sess := loginUser(t, user.Name)
+	csrf := GetCSRF(t, sess, "/")
+
+	test := func(t *testing.T, fail bool, baseURL string, id int64) {
+		defer tests.PrintCurrentTest(t, 1)()
+		t.Helper()
+
+		sess := sess
+		csrf := csrf
+		if baseURL == adminURL {
+			sess = adminSess
+			csrf = adminCSRF
+		}
+
+		req := NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d", id), map[string]string{
+			"_csrf":       csrf,
+			"description": "New Description",
+		})
+		if fail {
+			sess.MakeRequest(t, req, http.StatusNotFound)
+		} else {
+			sess.MakeRequest(t, req, http.StatusSeeOther)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DRunner%2Bupdated%2Bsuccessfully", flashCookie.Value)
+		}
+
+		req = NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/delete", id), map[string]string{
+			"_csrf": csrf,
+		})
+		if fail {
+			sess.MakeRequest(t, req, http.StatusNotFound)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DRunner%2Bdeleted%2Bsuccessfully", flashCookie.Value)
+		}
+	}
+
+	t.Run("User runner", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, userRunner.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, userRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, false, userURL, userRunner.ID)
+		})
+	})
+
+	t.Run("Organisation runner", func(t *testing.T) {
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, orgRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, orgRunner.ID)
+		})
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, false, orgURL, orgRunner.ID)
+		})
+	})
+
+	t.Run("Repository runner", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, repoRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, repoRunner.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, false, repoURL, repoRunner.ID)
+		})
+	})
+
+	t.Run("Global runner", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, globalRunner.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, globalRunner.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, globalRunner.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, false, adminURL, globalRunner.ID)
+		})
+	})
+}