go-gitea · Zettat123 · Jun 23, 2026
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -3002,6 +3002,10 @@ LEVEL = Info
 ;; Comma-separated list of workflow directories, the first one to exist
 ;; in a repo is used to find Actions workflow files
 ;WORKFLOW_DIRS = .gitea/workflows,.github/workflows
+;; Comma-separated list of scoped workflow directories in a source repository, the first one to exist is used.
+;; Files here are picked up only when the repo is registered as a scoped-workflow source; in any other repo they neither run repo-level nor scope-level.
+;; Must not overlap with WORKFLOW_DIRS. Leave empty to disable.
+;SCOPED_WORKFLOW_DIRS = .gitea/scoped_workflows
 ;; Maximum number of attempts a single workflow run can have. Default value is 50.
 ;MAX_RERUN_ATTEMPTS = 50
 

diff --git a/models/actions/run.go b/models/actions/run.go
@@ -30,7 +30,7 @@ type ActionRun struct {
 	RepoID            int64                  `xorm:"unique(repo_index)"`
 	Repo              *repo_model.Repository `xorm:"-"`
 	OwnerID           int64                  `xorm:"index"`
-	WorkflowID        string                 `xorm:"index"`                    // the name of workflow file
+	WorkflowID        string                 `xorm:"index"`                    // the workflow file's entry name, e.g. ci.yaml (this run's workflow identity)
 	Index             int64                  `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
 	TriggerUserID     int64                  `xorm:"index"`
 	TriggerUser       *user_model.User       `xorm:"-"`
@@ -48,6 +48,13 @@ type ActionRun struct {
 	Version           int                          `xorm:"version default 0"` // Status could be updated concomitantly, so an optimistic lock is needed
 	RawConcurrency    string                       // raw concurrency
 
+	// WorkflowRepoID/WorkflowCommitSHA record the (repo, commit) the run's workflow file content came from.
+	// Always filled (repo-level run = the repo itself; scoped run = the source repo).
+	WorkflowRepoID    int64  `xorm:"NOT NULL DEFAULT 0"`
+	WorkflowCommitSHA string `xorm:"VARCHAR(64) NOT NULL DEFAULT ''"`
+
+	IsScopedRun bool `xorm:"NOT NULL DEFAULT false"` // IsScopedRun explicitly classifies scoped runs.
+
 	// Started and Stopped are identical to the latest attempt after ActionRunAttempt was introduced.
 	// When a rerun creates a new latest attempt, they are reset until the new attempt starts and stops.
 	Started timeutil.TimeStamp
@@ -86,6 +93,10 @@ func (run *ActionRun) WorkflowLink() string {
 	if run.Repo == nil {
 		return ""
 	}
+	// A scoped run's workflow is disambiguated by its source repo, so carry workflow_repo_id back to the run list
+	if run.IsScopedRun {
+		return fmt.Sprintf("%s/actions/?workflow=%s&workflow_repo_id=%d", run.Repo.Link(), run.WorkflowID, run.WorkflowRepoID)
+	}
 	return fmt.Sprintf("%s/actions/?workflow=%s", run.Repo.Link(), run.WorkflowID)
 }
 

diff --git a/models/actions/run_list.go b/models/actions/run_list.go
@@ -10,6 +10,7 @@ import (
 	repo_model "gitea.dev/models/repo"
 	user_model "gitea.dev/models/user"
 	"gitea.dev/modules/container"
+	"gitea.dev/modules/optional"
 	"gitea.dev/modules/translation"
 	webhook_module "gitea.dev/modules/webhook"
 
@@ -61,7 +62,9 @@ type FindRunOptions struct {
 	RepoID           int64
 	OwnerID          int64
 	WorkflowID       string
-	Ref              string // the commit/tag/… that caused this workflow
+	WorkflowRepoID   int64                 // source-aware filter: the repo a run's workflow content came from (0 = any)
+	IsScopedRun      optional.Option[bool] // is the run from a scoped workflow
+	Ref              string                // the commit/tag/… that caused this workflow
 	TriggerUserID    int64
 	TriggerEvent     webhook_module.HookEventType
 	Status           []Status
@@ -77,6 +80,12 @@ func (opts FindRunOptions) ToConds() builder.Cond {
 	if opts.WorkflowID != "" {
 		cond = cond.And(builder.Eq{"`action_run`.workflow_id": opts.WorkflowID})
 	}
+	if opts.WorkflowRepoID > 0 {
+		cond = cond.And(builder.Eq{"`action_run`.workflow_repo_id": opts.WorkflowRepoID})
+	}
+	if opts.IsScopedRun.Has() {
+		cond = cond.And(builder.Eq{"`action_run`.is_scoped_run": opts.IsScopedRun.Value()})
+	}
 	if opts.TriggerUserID > 0 {
 		cond = cond.And(builder.Eq{"`action_run`.trigger_user_id": opts.TriggerUserID})
 	}

diff --git a/models/actions/run_list_test.go b/models/actions/run_list_test.go
@@ -6,10 +6,12 @@ package actions
 import (
 	"testing"
 
+	"gitea.dev/models/db"
 	"gitea.dev/models/unittest"
 	"gitea.dev/modules/translation"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestGetRunWorkflowIDs(t *testing.T) {
@@ -35,3 +37,48 @@ func TestGetStatusInfoList(t *testing.T) {
 		{Status: int(StatusCancelling), StatusName: StatusCancelling.String(), DisplayedStatus: "actions.status.cancelling"},
 	}, statusInfoList)
 }
+
+// TestFindRunOptions_WorkflowRepoID: two runs share the bare WorkflowID but come from different content-source repos;
+// the source-aware WorkflowRepoID filter must separate them.
+func TestFindRunOptions_WorkflowRepoID(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	const (
+		repoID     = int64(4)
+		sourceA    = int64(111)
+		sourceB    = int64(222)
+		workflowID = "u3-shared.yaml"
+	)
+	for _, spec := range []struct{ id, workflowRepoID int64 }{
+		{99801, sourceA},
+		{99802, sourceB},
+	} {
+		require.NoError(t, db.Insert(t.Context(), &ActionRun{
+			ID:             spec.id,
+			Index:          spec.id,
+			RepoID:         repoID,
+			OwnerID:        1,
+			TriggerUserID:  1,
+			WorkflowID:     workflowID,
+			WorkflowRepoID: spec.workflowRepoID,
+			IsScopedRun:    true,
+		}))
+	}
+
+	// no source filter -> both
+	all, err := db.Find[ActionRun](t.Context(), FindRunOptions{RepoID: repoID, WorkflowID: workflowID})
+	require.NoError(t, err)
+	assert.Len(t, all, 2)
+
+	// filter by source A -> only the run whose content came from A
+	onlyA, err := db.Find[ActionRun](t.Context(), FindRunOptions{RepoID: repoID, WorkflowID: workflowID, WorkflowRepoID: sourceA})
+	require.NoError(t, err)
+	require.Len(t, onlyA, 1)
+	assert.EqualValues(t, 99801, onlyA[0].ID)
+
+	// filter by source B -> only the run whose content came from B
+	onlyB, err := db.Find[ActionRun](t.Context(), FindRunOptions{RepoID: repoID, WorkflowID: workflowID, WorkflowRepoID: sourceB})
+	require.NoError(t, err)
+	require.Len(t, onlyB, 1)
+	assert.EqualValues(t, 99802, onlyB[0].ID)
+}
diff --git a/models/actions/run_test.go b/models/actions/run_test.go
@@ -44,3 +44,15 @@ func TestActionRun_Duration_NonNegative(t *testing.T) {
 	}
 	assert.Equal(t, time.Duration(0), run.Duration())
 }
+
+func TestActionRun_WorkflowLink(t *testing.T) {
+	repo := &repo_model.Repository{OwnerName: "org", Name: "consumer"}
+
+	// a repo-level run links by file name only
+	repoLevel := &ActionRun{Repo: repo, WorkflowID: "ci.yaml", WorkflowRepoID: repo.ID}
+	assert.Equal(t, repo.Link()+"/actions/?workflow=ci.yaml", repoLevel.WorkflowLink())
+
+	// a scoped run carries its source repo id back, so the list stays filtered to that source
+	scoped := &ActionRun{Repo: repo, WorkflowID: "ci.yaml", WorkflowRepoID: 42, IsScopedRun: true}
+	assert.Equal(t, repo.Link()+"/actions/?workflow=ci.yaml&workflow_repo_id=42", scoped.WorkflowLink())
+}
diff --git a/models/actions/scoped_workflow.go b/models/actions/scoped_workflow.go
@@ -0,0 +1,156 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+	"fmt"
+
+	"gitea.dev/models/db"
+	repo_model "gitea.dev/models/repo"
+	"gitea.dev/modules/timeutil"
+	"gitea.dev/modules/util"
+
+	"xorm.io/builder"
+)
+
+// ActionScopedWorkflowSource registers a repository as a source of scoped workflows, either for an owner (user/org) or for the whole instance.
+type ActionScopedWorkflowSource struct {
+	ID int64 `xorm:"pk autoincr"`
+
+	// OwnerID is the scope the source applies to: a user/org ID (applies to that owner's repos), or 0 for instance-level (applies to every repo).
+	OwnerID int64 `xorm:"UNIQUE(owner_repo) NOT NULL DEFAULT 0"`
+	// SourceRepoID is the source repository providing the workflow files; always non-zero.
+	SourceRepoID int64 `xorm:"INDEX UNIQUE(owner_repo) NOT NULL DEFAULT 0"`
+
+	// WorkflowConfigs maps a workflow ID (entry name) to its merge-gate config.
+	WorkflowConfigs map[string]*ScopedWorkflowConfig `xorm:"JSON TEXT 'workflow_configs'"`
+
+	CreatedUnix timeutil.TimeStamp `xorm:"created"`
+	UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+}
+
+// ScopedWorkflowConfig is one workflow's merge-gate config within a source registration:
+// whether it is required and the status-check patterns that must be present and pass.
+type ScopedWorkflowConfig struct {
+	Required bool     `json:"required"`
+	Patterns []string `json:"patterns"`
+}
+
+func init() {
+	db.RegisterModel(new(ActionScopedWorkflowSource))
+}
+
+// IsWorkflowRequired reports whether the given workflow ID (entry name) is marked required in this source.
+func (s *ActionScopedWorkflowSource) IsWorkflowRequired(workflowID string) bool {
+	c, ok := s.WorkflowConfigs[workflowID]
+	return ok && c.Required
+}
+
+type FindScopedWorkflowSourceOpts struct {
+	db.ListOptions
+	OwnerIDs     []int64
+	SourceRepoID int64
+}
+
+func (opts FindScopedWorkflowSourceOpts) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if len(opts.OwnerIDs) > 0 {
+		cond = cond.And(builder.In("owner_id", opts.OwnerIDs))
+	}
+	if opts.SourceRepoID != 0 {
+		cond = cond.And(builder.Eq{"source_repo_id": opts.SourceRepoID})
+	}
+	return cond
+}
+
+// GetEffectiveScopedWorkflowSources returns the scoped-workflow sources effective for a repo owned by repoOwnerID:
+// the owner's own sources plus instance-level (owner_id=0) sources.
+func GetEffectiveScopedWorkflowSources(ctx context.Context, repoOwnerID int64) ([]*ActionScopedWorkflowSource, error) {
+	owners := []int64{0}
+	if repoOwnerID != 0 {
+		owners = append(owners, repoOwnerID)
+	}
+	return db.Find[ActionScopedWorkflowSource](ctx, FindScopedWorkflowSourceOpts{OwnerIDs: owners})
+}
+
+// IsScopedWorkflowSourceEffective reports whether sourceRepoID is a scoped-workflow source effective for a repo owned by repoOwnerID.
+func IsScopedWorkflowSourceEffective(ctx context.Context, repoOwnerID, sourceRepoID int64) (bool, error) {
+	owners := []int64{0}
+	if repoOwnerID != 0 {
+		owners = append(owners, repoOwnerID)
+	}
+	return db.Exist[ActionScopedWorkflowSource](ctx, FindScopedWorkflowSourceOpts{OwnerIDs: owners, SourceRepoID: sourceRepoID}.ToConds())
+}
+
+// IsWorkflowRequiredInSources reports whether workflowID from sourceRepoID is required by any of the given sources.
+func IsWorkflowRequiredInSources(sources []*ActionScopedWorkflowSource, sourceRepoID int64, workflowID string) bool {
+	for _, s := range sources {
+		if s.SourceRepoID == sourceRepoID && s.IsWorkflowRequired(workflowID) {
+			return true
+		}
+	}
+	return false
+}
+
+// ScopedStatusContextPrefix returns the source-repo prefix that makes a scoped run's commit-status context distinct from same-named workflows.
+func ScopedStatusContextPrefix(ctx context.Context, sourceRepoID int64) string {
+	if sourceRepo, err := repo_model.GetRepositoryByID(ctx, sourceRepoID); err == nil {
+		return sourceRepo.FullName()
+	}
+	return fmt.Sprintf("scoped:%d", sourceRepoID)
+}
+
+// IsScopedWorkflowRequired reports whether workflowID from sourceRepoID is required for a repo owned by consumerOwnerID.
+func IsScopedWorkflowRequired(ctx context.Context, consumerOwnerID, sourceRepoID int64, workflowID string) (bool, error) {
+	sources, err := GetEffectiveScopedWorkflowSources(ctx, consumerOwnerID)
+	if err != nil {
+		return false, err
+	}
+	return IsWorkflowRequiredInSources(sources, sourceRepoID, workflowID), nil
+}
+
+// GetScopedWorkflowSourcesByOwner returns the sources an owner (user/org, or 0 for instance) registered.
+func GetScopedWorkflowSourcesByOwner(ctx context.Context, ownerID int64) ([]*ActionScopedWorkflowSource, error) {
+	return db.Find[ActionScopedWorkflowSource](ctx, FindScopedWorkflowSourceOpts{OwnerIDs: []int64{ownerID}})
+}
+
+// GetScopedWorkflowSource returns the (owner, repo) source registration or a NotExist error.
+func GetScopedWorkflowSource(ctx context.Context, ownerID, repoID int64) (*ActionScopedWorkflowSource, error) {
+	src := &ActionScopedWorkflowSource{}
+	has, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Get(src)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, util.NewNotExistErrorf("scoped workflow source (owner %d, repo %d) does not exist", ownerID, repoID)
+	}
+	return src, nil
+}
+
+// AddScopedWorkflowSource registers repoID as a source for ownerID (no-op if already registered).
+func AddScopedWorkflowSource(ctx context.Context, ownerID, repoID int64) error {
+	exists, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Exist(new(ActionScopedWorkflowSource))
+	if err != nil {
+		return err
+	}
+	if exists {
+		return nil
+	}
+	return db.Insert(ctx, &ActionScopedWorkflowSource{OwnerID: ownerID, SourceRepoID: repoID})
+}
+
+// SetScopedWorkflowSourceConfigs replaces the per-workflow merge-gate configs (workflow ID -> config).
+func SetScopedWorkflowSourceConfigs(ctx context.Context, ownerID, repoID int64, configs map[string]*ScopedWorkflowConfig) error {
+	_, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).
+		Cols("workflow_configs").
+		Update(&ActionScopedWorkflowSource{WorkflowConfigs: configs})
+	return err
+}
+
+// RemoveScopedWorkflowSource removes the (owner, repo) source registration.
+func RemoveScopedWorkflowSource(ctx context.Context, ownerID, repoID int64) error {
+	_, err := db.GetEngine(ctx).Where("owner_id = ? AND source_repo_id = ?", ownerID, repoID).Delete(new(ActionScopedWorkflowSource))
+	return err
+}