fix: show the actions trust management panel when runs from trusted users are pending approval (#12812)

When the status of a user makes it implicitly trusted to run actions (for instance when it becomes a member of the Owners team of an organization), the runs that were blocked before they became trusted will need to be approved or denied.

The trust management panel was not displayed if the poster of the pull request was trusted. It is now displayed regardless of the current trust status of the user.

Closes forgejo/forgejo#12811

---

## Alternative implementation

An alternative implementation would be to approve all pending runs whenever the trust status of a user changes. That would require that change to happen when the user joins a team with permissions to run actions, becomes an admin, a collaborator to a repository with write access or when a repository ownership is transferred to an organization where the user already has such rights.

Such an implementation would save the effort of manually taking care of the runs pending approval for the now trusted user. But it would also be fragile to maintain because it would need a complete inventory of all the ways a user can become trusted. Or some kind of notification triggered whenever such an event happens, which is not currently in place.

Since this is a rare case and the manual operation is simple, I think the easiest fix consisting of showing the trust panel regardless of the trust status of the user is acceptable.

## Lingering rows in `ActionUser`

If a newly trusted user is explicitly always trusted **after** being implicitly trusted, a row is created in `ActionUser`. But the `Revoke` button will never show, because the user is now implicitly trusted. This leaves a lingering row in the `ActionUser` table. Such a row will be [removed](!9397 (commit e41bcf5048)) eventually and not clutter the table.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12812): <!--number 12812 --><!--line 0 --><!--description Zml4OiBzaG93IHRoZSBhY3Rpb25zIHRydXN0IG1hbmFnZW1lbnQgcGFuZWwgd2hlbiBydW5zIGZyb20gdHJ1c3RlZCB1c2VycyBhcmUgcGVuZGluZyBhcHByb3ZhbA==-->fix: show the actions trust management panel when runs from trusted users are pending approval<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12812
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>

templates/repo/pulls/trust.tmpl

@@ -23,7 +23,7 @@ Template Attributes:
 				</form>
 			</div>
 		</div>
-	{{else if and .PullRequestPosterIsNotTrustedWithActions .SomePullRequestRunsNeedApproval}}
+	{{else if .SomePullRequestRunsNeedApproval}}
 		<div class="pull-request-trust-panel" id="pull-request-trust-panel">
 			<div class="divider"></div>
 			<div class="item item-section">

tests/integration/actions_trust_test.go

@@ -254,6 +254,14 @@ func actionsTrustTestCreatePullRequestFromForkedRepo(t *testing.T, baseUser *use
 	return forkedRepo, pullRequest, addFileToForkedResp
 }
 
+func actionsTrustSetCollaborator(t *testing.T, token string, repo *repo_model.Repository, user *user_model.User, permission string) {
+	t.Helper()
+
+	repoAPILink := repo.APIURL()
+	req := NewRequestWithJSON(t, "PUT", fmt.Sprintf("%s/collaborators/%s", repoAPILink, user.Name), map[string]string{"permission": permission}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+}
+
 // Mark the PR as a work-in-progress PR
 func actionsTrustTestSetPullRequestWIP(t *testing.T, pullRequest *issues_model.PullRequest, wip bool) {
 	t.Helper()
@@ -284,7 +292,41 @@ func actionsTrustTestModifyTitlePullRequest(t *testing.T, token string, pullRequ
 	assert.Equal(t, actions_model.StatusBlocked, actionRunJob.Status)
 }
 
-func TestActionsPullRequestTrustPanel(t *testing.T) {
+func TestActionsPullRequestTrustPanelImplicit(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		ownerUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) // owner of the repo
+		ownerSession := loginUser(t, ownerUser.Name)
+		ownerToken := getTokenForLoggedInUser(t, ownerSession, auth_model.AccessTokenScopeAll)
+
+		regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) // a regular user with no specific permission
+		regularSession := loginUser(t, regularUser.Name)
+
+		baseRepo, f := actionsTrustTestCreateBaseRepo(t, ownerUser)
+		defer f()
+
+		_, pullRequest, _ := actionsTrustTestCreatePullRequestFromForkedRepo(t, ownerUser, baseRepo, regularUser)
+		pullRequestLink := pullRequest.Issue.Link()
+
+		t.Run("All users see a pending approval on a newly created pull request from a fork", func(t *testing.T) {
+			actionsTrustTestAssertTrustPanel(t, regularSession, pullRequestLink)
+			actionsTrustTestAssertTrustPanel(t, ownerSession, pullRequestLink)
+		})
+
+		t.Run("The regular user becomes implicitly trusted and the pending approval are still displayed because they were created when the user was not trusted", func(t *testing.T) {
+			actionsTrustSetCollaborator(t, ownerToken, baseRepo, regularUser, "admin")
+			actionsTrustTestAssertTrustPanel(t, regularSession, pullRequestLink)
+			actionsTrustTestAssertTrustPanel(t, ownerSession, pullRequestLink)
+		})
+
+		t.Run("The newly implicitly trusted user can approve its own runs", func(t *testing.T) {
+			actionsTrustTestClickTrustPanel(t, regularSession, pullRequestLink, string(actions_service.UserTrustedOnce))
+			actionsTrustTestAssertNoTrustPanel(t, regularSession, pullRequestLink)
+			actionsTrustTestAssertNoTrustPanel(t, ownerSession, pullRequestLink)
+		})
+	})
+}
+
+func TestActionsPullRequestTrustPanelExplicit(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
 		ownerUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) // owner of the repo