Support actions and reusable workflows from private repos (#32562)

Resolve https://gitea.com/gitea/act_runner/issues/102

This PR allows administrators of a private repository to specify some
collaborative owners. The repositories of collaborative owners will be
allowed to access this repository's actions and workflows.

Settings for private repos:


![image](https://github.com/user-attachments/assets/e591c877-f94d-48fb-82f3-3b051f21557e)

---

This PR also moves "Enable Actions" setting to `Actions > General` page

<img width="960" alt="image"
src="https://github.com/user-attachments/assets/49337ec2-afb1-4a67-8516-5c9ef0ce05d4"
/>

<img width="960" alt="image"
src="https://github.com/user-attachments/assets/f58ee6d5-17f9-4180-8760-a78e859f1c37"
/>

---------

Signed-off-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: ChristopherHX <christopher.homberger@web.de>

tests/integration/actions_settings_test.go

@@ -0,0 +1,62 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionsCollaborativeOwner(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		// user2 is the owner of "reusable_workflow" repo
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		user2Session := loginUser(t, user2.Name)
+		user2Token := getTokenForLoggedInUser(t, user2Session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
+		repo := createActionsTestRepo(t, user2Token, "reusable_workflow", true)
+
+		// a private repo(id=6) of user10 will try to clone "reusable_workflow" repo
+		user10 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 10})
+		// task id is 55 and its repo_id=6
+		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 55, RepoID: 6})
+		taskToken := "674f727a81ed2f195bccab036cccf86a182199eb"
+		tokenHash := auth_model.HashToken(taskToken, task.TokenSalt)
+		assert.Equal(t, task.TokenHash, tokenHash)
+
+		dstPath := t.TempDir()
+		u.Path = fmt.Sprintf("%s/%s.git", repo.Owner.UserName, repo.Name)
+		u.User = url.UserPassword("gitea-actions", taskToken)
+
+		// the git clone will fail
+		doGitCloneFail(u)(t)
+
+		// add user10 to the list of collaborative owners
+		req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/actions/general/collaborative_owner/add", repo.Owner.UserName, repo.Name), map[string]string{
+			"_csrf":               GetUserCSRFToken(t, user2Session),
+			"collaborative_owner": user10.Name,
+		})
+		user2Session.MakeRequest(t, req, http.StatusOK)
+
+		// the git clone will be successful
+		doGitClone(dstPath, u)(t)
+
+		// remove user10 from the list of collaborative owners
+		req = NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/actions/general/collaborative_owner/delete?id=%d", repo.Owner.UserName, repo.Name, user10.ID), map[string]string{
+			"_csrf": GetUserCSRFToken(t, user2Session),
+		})
+		user2Session.MakeRequest(t, req, http.StatusOK)
+
+		// the git clone will fail
+		doGitCloneFail(u)(t)
+	})
+}