diff --git a/go.mod b/go.mod
index 5bfd7c903..b30d56d6b 100644
--- a/go.mod
+++ b/go.mod
@@ -294,6 +294,6 @@ replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1
 
 replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0
 
-replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.21.3
+replace github.com/nektos/act => code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e
 
 replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1
diff --git a/go.sum b/go.sum
index 86bced258..cd5448155 100644
--- a/go.sum
+++ b/go.sum
@@ -4,8 +4,6 @@ code.forgejo.org/f3/gof3/v3 v3.7.0 h1:ZfuCP8CGm8ZJbWmL+V0pUu3E0X4FCAA7GfRDy/y5/K
 code.forgejo.org/f3/gof3/v3 v3.7.0/go.mod h1:oNhOeqD4DZYjVcNjQXIOdDX9b/1tqxi9ITLS8H9/Csw=
 code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251 h1:HTZl3CBk3ABNYtFI6TPLvJgGKFIhKT5CBk0sbOtkDKU=
 code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:PphB88CPbx601QrWPMZATeorACeVmQlyv3u+uUMbSaM=
-code.forgejo.org/forgejo/act v1.21.3 h1:EeJbrz0aar2QhIcBlOW5gjK1rjrQxcAvQSPpG/R1h5w=
-code.forgejo.org/forgejo/act v1.21.3/go.mod h1:+PcvJ9iv+NTFeJSh79ra9Jbk9l0vvyA9D9me5/dbxYM=
 code.forgejo.org/forgejo/archiver/v3 v3.5.1 h1:UmmbA7D5550uf71SQjarmrn6yKwOGxtEjb3jaYYtmSE=
 code.forgejo.org/forgejo/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
@@ -16,6 +14,8 @@ code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5 h1:A7P1liXCpJ
 code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5/go.mod h1:YLOsiln/arX3egGtxG4QNp49G2CIqP9pqD2VL56obLc=
 code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2 h1:Ht2myT1qf4YbLcO/W3pQaWTn6PPdKz0tM5tnqMOz/Cg=
 code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2/go.mod h1:oJs2Q5P5I7bzJGsgHt6fVzh2jlIr/9SLAvz/ZXb87BI=
+code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e h1:3zms7edYa3uqTRSJj+TenW3bjCBRLD3eHlWtWSO3W3E=
+code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e/go.mod h1:+PcvJ9iv+NTFeJSh79ra9Jbk9l0vvyA9D9me5/dbxYM=
 code.gitea.io/actions-proto-go v0.4.0 h1:OsPBPhodXuQnsspG1sQ4eRE1PeoZyofd7+i73zCwnsU=
 code.gitea.io/actions-proto-go v0.4.0/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
 code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=
diff --git a/models/actions/task.go b/models/actions/task.go
index 8d41a631a..957a3cd72 100644
--- a/models/actions/task.go
+++ b/models/actions/task.go
@@ -21,6 +21,7 @@ import (
 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
 	lru "github.com/hashicorp/golang-lru/v2"
 	"github.com/nektos/act/pkg/jobparser"
+	"github.com/nektos/act/pkg/model"
 	"google.golang.org/protobuf/types/known/timestamppb"
 	"xorm.io/builder"
 )
@@ -56,6 +57,8 @@ type ActionTask struct {
 
 	Created timeutil.TimeStamp `xorm:"created"`
 	Updated timeutil.TimeStamp `xorm:"updated index"`
+
+	Permissions model.Permissions `xorm:"json"`
 }
 
 var successfulTokenTaskCache *lru.Cache[string, any]
@@ -286,6 +289,8 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
 		_, workflowJob = gots[0].Job()
 	}
 
+	task.Permissions = workflowJob.Permissions
+
 	if _, err := e.Insert(task); err != nil {
 		return nil, false, err
 	}
diff --git a/models/actions/variable.go b/models/actions/variable.go
index 8b3194b37..d0f917d92 100644
--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@@ -9,7 +9,6 @@ import (
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 
 	"xorm.io/builder"
@@ -103,9 +102,7 @@ func DeleteVariable(ctx context.Context, id int64) error {
 }
 
 func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
-	variables := map[string]string{
-		"ACTIONS_ID_TOKEN_REQUEST_URL": setting.AppURL + "api/actions_idtoken?api-version=2.0",
-	}
+	variables := map[string]string{}
 
 	if err := run.LoadRepo(ctx); err != nil {
 		log.Error("LoadRepo: %v", err)
diff --git a/models/secret/secret.go b/models/secret/secret.go
index cd78c6227..84053e009 100644
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@@ -135,7 +135,10 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[
 
 	secrets["GITHUB_TOKEN"] = task.Token
 	secrets["GITEA_TOKEN"] = task.Token
-	secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
+
+	if task.Permissions.IDToken == "write" {
+		secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
+	}
 
 	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
 		// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go
index ff6ec5bd5..9d9590d3f 100644
--- a/routers/api/actions/runner/utils.go
+++ b/routers/api/actions/runner/utils.go
@@ -31,6 +31,8 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 		return nil, false, nil
 	}
 
+	log.Debug("job permissions: %+v", t.Permissions)
+
 	secrets, err := secret_model.GetSecretsOfTask(ctx, t)
 	if err != nil {
 		return nil, false, fmt.Errorf("GetSecretsOfTask: %w", err)
@@ -41,6 +43,10 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 		return nil, false, fmt.Errorf("GetVariablesOfRun: %w", err)
 	}
 
+	if t.Permissions.IDToken == "write" {
+		vars["ACTIONS_ID_TOKEN_REQUEST_URL"] = setting.AppURL + "api/actions_idtoken?api-version=2.0"
+	}
+
 	actions.CreateCommitStatus(ctx, t.Job)
 
 	task := &runnerv1.Task{