diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 2af559817a..d7e0360675 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -195,13 +195,17 @@ func httpBase(ctx *context.Context) *serviceHandler {
 					return nil
 				}
 				if task.RepoID != repo.ID {
+					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
 					taskRepo, err := repo_model.GetRepositoryByID(ctx, task.RepoID)
 					if err != nil {
 						ctx.ServerError("GetRepositoryByID", err)
 						return nil
 					}
-					actionsCfg := repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
-					if !taskRepo.IsPrivate || taskRepo.OwnerID != repo.OwnerID || !actionsCfg.AccessbleFromOtherRepos {
+					if !actionsCfg.AccessbleFromOtherRepos || taskRepo.OwnerID != repo.OwnerID || !taskRepo.IsPrivate {
+						// See https://docs.github.com/en/actions/sharing-automations/sharing-actions-and-workflows-from-your-private-repository
+						// Any actions or reusable workflows stored in the private repository can be used in
+						// workflows defined in other private repositories owned by the same organization or user.
+						// Actions and reusable workflows stored in private repositories cannot be used in public repositories.
 						ctx.PlainText(http.StatusForbidden, "User permission denied")
 						return nil
 					}
diff --git a/routers/web/repo/setting/actions.go b/routers/web/repo/setting/actions.go
index 778078115c..2dea6c0f7c 100644
--- a/routers/web/repo/setting/actions.go
+++ b/routers/web/repo/setting/actions.go
@@ -12,9 +12,7 @@ import (
 	"code.gitea.io/gitea/services/context"
 )
 
-const (
-	tplRepoActionsGeneralSettings base.TplName = "repo/settings/actions"
-)
+const tplRepoActionsGeneralSettings base.TplName = "repo/settings/actions"
 
 func ActionsGeneralSettings(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("actions.general")