Add ability to restrict fine-grained tokens to specific repositories

[merlleu]

Feature Description

Hello, I'd like to have the ability to create fine grained with per-repositories permissions.
Currently to allow the build of select repositories using actions, we create a token giving read-only to all repos and set it as action secret.
This is not ideal because in case of an infected repository: if a compromised (developer got gitea account hacked), the attacker could easily use actions to escalate privileges and access all the repos accessible by the access token.

Having the ability of limiting scope to certain repositories (the best thing would be to be able to set permissions per-repo) would mitigate this risk.

Currently we could have similar effect by creating "service accounts" for each repository needing private repo access or by using deploy keys (but this would not work for packages).

Screenshots

[merlleu]

I was thinking another way of managing this would be to have the ability to create service accounts for specific repos:
The repository's actions would inherit from a token with the service account permissions.

There would be an option to create the service account of a repo, adding a new tab to the settings page of the repo, listing permissions of the service account.

Permissions of the service account itself should be managed the same way as real accounts.
Service accounts should be have for username gitea_svc_{repo_id} and for full name {owner_name}/{repo_name}, and updating repo/owner name should update the service account full name.
Best thing would be to have a badge next to the name indicating it's a repo/service account.
They should be "login disabled".

I don't know if this feature might interest people out here but for our use cases it might be perfect to improve ci/cd safety.

[merlleu]

Maybe I should create a specifc issue for this because it's now quite far from the original idea

[merlleu]

closed in favor of #26754