GET /repos/{owner}/{repo}/actions/{runs,jobs} requires more than just read permissions #36268
Description
Description
Hello,
#33964 introduced multiple new APIs for interacting with actions, but I think the permissions checks for actions/jobs and actions/runs is too tight.
They currently requires the caller to be the owner of the repository due to these API being declared via addActionsRoutes that either reqOwner() or reqOrgOwnership() which seems logic for the other much more sensitive routes in this function, but for /runs and /jobs, I think read permission is enough.
This is also not matching github requirements for this endpoint: "Anyone with read access to the repository can use this endpoint." (https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2022-11-28#list-workflow-runs-for-a-repository)
The code in question:
Line 930 in 1771569
Gitea Version
v1.25.3
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Self hosted
Database
None