tenseleyflow/shithub / 07bdfb8

+			DNSServers:     cfg.Engine.DNSServers,

+	runCmd.Flags().String("network-allowlist", "", "Comma-separated host patterns allowed by the runner DNS policy")

+	runCmd.Flags().String("dns-servers", "", "Comma-separated DNS servers passed to step containers")

+		"server-url":        "server.base_url",

+		"token":             "runner.token",

+		"labels":            "runner.labels",

+		"capacity":          "runner.capacity",

+		"poll-interval":     "runner.poll_interval",

+		"workspace-root":    "runner.workspace_root",

+		"workspace-ttl":     "runner.workspace_ttl",

+		"engine":            "engine.kind",

+		"image":             "engine.default_image",

+		"network":           "engine.network",

+		"memory":            "engine.memory",

+		"cpus":              "engine.cpus",

+		"seccomp-profile":   "engine.seccomp_profile",

+		"container-user":    "engine.user",

+		"pids-limit":        "engine.pids_limit",

+		"network-allowlist": "runner.network_allowlist",

+		"dns-servers":       "engine.dns_servers",

+		"log-level":         "log.level",

+		"log-format":        "log.format",

+-- name: GetStepLogChunkBefore :one

+SELECT id, step_id, seq, chunk, created_at

+FROM workflow_step_log_chunks

+WHERE step_id = $1 AND seq < $2

+ORDER BY seq DESC

+LIMIT 1;

+

+-- name: GetStepLogChunkByStepSeq :one

+SELECT id, step_id, seq, chunk, created_at

+FROM workflow_step_log_chunks

+WHERE step_id = $1 AND seq = $2;

+

+-- name: UpdateStepLogChunk :exec

+UPDATE workflow_step_log_chunks

+SET chunk = $2

+WHERE id = $1;

+

+	GetStepLogChunkBefore(ctx context.Context, db DBTX, arg GetStepLogChunkBeforeParams) (WorkflowStepLogChunk, error)

+	GetStepLogChunkByStepSeq(ctx context.Context, db DBTX, arg GetStepLogChunkByStepSeqParams) (WorkflowStepLogChunk, error)

+	UpdateStepLogChunk(ctx context.Context, db DBTX, arg UpdateStepLogChunkParams) error

+const getStepLogChunkBefore = `-- name: GetStepLogChunkBefore :one

+SELECT id, step_id, seq, chunk, created_at

+FROM workflow_step_log_chunks

+WHERE step_id = $1 AND seq < $2

+ORDER BY seq DESC

+LIMIT 1

+`

+

+type GetStepLogChunkBeforeParams struct {

+	StepID int64

+	Seq    int32

+}

+

+func (q *Queries) GetStepLogChunkBefore(ctx context.Context, db DBTX, arg GetStepLogChunkBeforeParams) (WorkflowStepLogChunk, error) {

+	row := db.QueryRow(ctx, getStepLogChunkBefore, arg.StepID, arg.Seq)

+	var i WorkflowStepLogChunk

+	err := row.Scan(

+		&i.ID,

+		&i.StepID,

+		&i.Seq,

+		&i.Chunk,

+		&i.CreatedAt,

+	)

+	return i, err

+}

+

+const getStepLogChunkByStepSeq = `-- name: GetStepLogChunkByStepSeq :one

+SELECT id, step_id, seq, chunk, created_at

+FROM workflow_step_log_chunks

+WHERE step_id = $1 AND seq = $2

+`

+

+type GetStepLogChunkByStepSeqParams struct {

+	StepID int64

+	Seq    int32

+}

+

+func (q *Queries) GetStepLogChunkByStepSeq(ctx context.Context, db DBTX, arg GetStepLogChunkByStepSeqParams) (WorkflowStepLogChunk, error) {

+	row := db.QueryRow(ctx, getStepLogChunkByStepSeq, arg.StepID, arg.Seq)

+	var i WorkflowStepLogChunk

+	err := row.Scan(

+		&i.ID,

+		&i.StepID,

+		&i.Seq,

+		&i.Chunk,

+		&i.CreatedAt,

+	)

+	return i, err

+}

+

+

+const updateStepLogChunk = `-- name: UpdateStepLogChunk :exec

+UPDATE workflow_step_log_chunks

+SET chunk = $2

+WHERE id = $1

+`

+

+type UpdateStepLogChunkParams struct {

+	ID    int64

+	Chunk []byte

+}

+

+func (q *Queries) UpdateStepLogChunk(ctx context.Context, db DBTX, arg UpdateStepLogChunkParams) error {

+	_, err := db.Exec(ctx, updateStepLogChunk, arg.ID, arg.Chunk)

+	return err

+}

+	ActionsLogScrubReplacementsTotal = prometheus.NewCounterVec(

+		prometheus.CounterOpts{

+			Name: "shithub_actions_log_scrub_replacements_total",

+			Help: "Total exact secret-value replacements performed on Actions log chunks.",

+		},

+		[]string{"location"},

+	)

+		ActionsLogScrubReplacementsTotal,

+	Secrets        map[string]string `json:"secrets"`

+	MaskValues     []string          `json:"mask_values"`

+	"net/netip"

+var defaultNetworkAllowlist = []string{

+	"api.github.com",

+	"auth.docker.io",

+	"codeload.github.com",

+	"github.com",

+	"objects.githubusercontent.com",

+	"production.cloudflare.docker.com",

+	"registry-1.docker.io",

+	"*.githubusercontent.com",

+}

+

+	Token            string        `toml:"token"`

+	Labels           []string      `toml:"labels"`

+	Capacity         int           `toml:"capacity"`

+	PollInterval     time.Duration `toml:"poll_interval"`

+	WorkspaceRoot    string        `toml:"workspace_root"`

+	WorkspaceTTL     time.Duration `toml:"workspace_ttl"`

+	NetworkAllowlist []string      `toml:"network_allowlist"`

+	Kind           string   `toml:"kind"`

+	DefaultImage   string   `toml:"default_image"`

+	Network        string   `toml:"network"`

+	Memory         string   `toml:"memory"`

+	CPUs           string   `toml:"cpus"`

+	SeccompProfile string   `toml:"seccomp_profile"`

+	User           string   `toml:"user"`

+	PidsLimit      int      `toml:"pids_limit"`

+	DNSServers     []string `toml:"dns_servers"`

+			Labels:           []string{"self-hosted", "linux", "ubuntu-latest"},

+			Capacity:         1,

+			PollInterval:     5 * time.Second,

+			WorkspaceRoot:    "/var/lib/shithubd-runner/workspaces",

+			WorkspaceTTL:     24 * time.Hour,

+			NetworkAllowlist: append([]string{}, defaultNetworkAllowlist...),

+	allowlist, err := normalizeHostPatterns(c.Runner.NetworkAllowlist)

+	if err != nil {

+		return fmt.Errorf("runner config: runner.network_allowlist: %w", err)

+	}

+	c.Runner.NetworkAllowlist = allowlist

+	dnsServers, err := normalizeDNSServers(c.Engine.DNSServers)

+	if err != nil {

+		return fmt.Errorf("runner config: engine.dns_servers: %w", err)

+	}

+	c.Engine.DNSServers = dnsServers

+func normalizeHostPatterns(patterns []string) ([]string, error) {

+	seen := map[string]struct{}{}

+	out := make([]string, 0, len(patterns))

+	for _, p := range patterns {

+		p = strings.ToLower(strings.TrimSpace(p))

+		if p == "" {

+			continue

+		}

+		if strings.ContainsAny(p, "/:") || strings.Trim(p, "*.abcdefghijklmnopqrstuvwxyz0123456789-") != "" {

+			return nil, fmt.Errorf("invalid host pattern %q", p)

+		}

+		if strings.Contains(p, "**") || strings.Contains(p, "..") || strings.HasPrefix(p, ".") || strings.HasSuffix(p, ".") {

+			return nil, fmt.Errorf("invalid host pattern %q", p)

+		}

+		if strings.Contains(p, "*") && !strings.HasPrefix(p, "*.") {

+			return nil, fmt.Errorf("invalid wildcard host pattern %q", p)

+		}

+		if _, ok := seen[p]; ok {

+			continue

+		}

+		seen[p] = struct{}{}

+		out = append(out, p)

+	}

+	if len(out) == 0 {

+		return nil, errors.New("must contain at least one host pattern")

+	}

+	return out, nil

+}

+

+func normalizeDNSServers(servers []string) ([]string, error) {

+	seen := map[string]struct{}{}

+	out := make([]string, 0, len(servers))

+	for _, s := range servers {

+		s = strings.TrimSpace(s)

+		if s == "" {

+			continue

+		}

+		if strings.ContainsAny(s, " \t\r\n") {

+			return nil, fmt.Errorf("invalid DNS server %q", s)

+		}

+		if _, err := netip.ParseAddr(s); err != nil {

+			return nil, fmt.Errorf("invalid DNS server %q", s)

+		}

+		if _, ok := seen[s]; ok {

+			continue

+		}

+		seen[s] = struct{}{}

+		out = append(out, s)

+	}

+	return out, nil

+}

+

+	if want := []string{"api.github.com", "auth.docker.io", "codeload.github.com", "github.com", "objects.githubusercontent.com", "production.cloudflare.docker.com", "registry-1.docker.io", "*.githubusercontent.com"}; !reflect.DeepEqual(cfg.Runner.NetworkAllowlist, want) {

+		t.Fatalf("NetworkAllowlist: got %#v want %#v", cfg.Runner.NetworkAllowlist, want)

+	}

+network_allowlist = ["github.com", "*.githubusercontent.com"]

+dns_servers = ["172.30.0.10"]

+			"SHITHUB_RUNNER_ENGINE__DNS_SERVERS=172.30.0.11,172.30.0.12",

+			"server.base_url":          "https://flag.example/path/",

+			"runner.capacity":          "4",

+			"runner.poll_interval":     "2s",

+			"runner.network_allowlist": "api.github.com,github.com",

+			"engine.seccomp_profile":   "/flag/seccomp.json",

+			"engine.user":              "123:456",

+	if want := []string{"api.github.com", "github.com"}; !reflect.DeepEqual(cfg.Runner.NetworkAllowlist, want) {

+		t.Fatalf("NetworkAllowlist: got %#v want %#v", cfg.Runner.NetworkAllowlist, want)

+	}

+	if want := []string{"172.30.0.11", "172.30.0.12"}; !reflect.DeepEqual(cfg.Engine.DNSServers, want) {

+		t.Fatalf("DNSServers: got %#v want %#v", cfg.Engine.DNSServers, want)

+	}

+

+func TestValidate_RejectsBadNetworkAllowlist(t *testing.T) {

+	t.Parallel()

+	cfg := Defaults()

+	cfg.Runner.Token = "tok"

+	cfg.Runner.NetworkAllowlist = []string{"https://github.com"}

+	if err := Validate(&cfg); err == nil {

+		t.Fatal("Validate returned nil error")

+	}

+}

+

+func TestValidate_RejectsBadDNSServer(t *testing.T) {

+	t.Parallel()

+	cfg := Defaults()

+	cfg.Runner.Token = "tok"

+	cfg.Engine.DNSServers = []string{"dns.internal"}

+	if err := Validate(&cfg); err == nil {

+		t.Fatal("Validate returned nil error")

+	}

+}

+	DNSServers       []string

+	for _, dns := range d.cfg.DNSServers {

+		dns = strings.TrimSpace(dns)

+		if dns != "" {

+			args = append(args, "--dns", dns)

+		}

+	}

+		Secrets: job.Secrets,

+func TestDockerExecute_AddsConfiguredDNSServers(t *testing.T) {

+	t.Parallel()

+	rec := &recordingRunner{}

+	d := NewDocker(DockerConfig{

+		DefaultImage: "runner-image",

+		Network:      "actions-net",

+		Memory:       "2g",

+		CPUs:         "2",

+		DNSServers:   []string{"172.30.0.10", "172.30.0.11"},

+		Runner:       rec,

+	})

+	if _, err := d.Execute(t.Context(), Job{

+		ID:           1,

+		WorkspaceDir: t.TempDir(),

+		Steps:        []Step{{Run: "curl https://github.com"}},

+	}); err != nil {

+		t.Fatalf("Execute: %v", err)

+	}

+	if argAfterN(rec.args, "--dns", 0) != "172.30.0.10" || argAfterN(rec.args, "--dns", 1) != "172.30.0.11" {

+		t.Fatalf("dns args missing: %#v", rec.args)

+	}

+}

+

+

+func argAfterN(args []string, flag string, n int) string {

+	for i, arg := range args {

+		if arg == flag {

+			if n == 0 && i+1 < len(args) {

+				return args[i+1]

+			}

+			n--

+		}

+	}

+	return ""

+}

+	Secrets        map[string]string

+		Secrets:        cloneStringMap(job.Secrets),

+		MaskValues:     append([]string{}, job.MaskValues...),

+func cloneStringMap(in map[string]string) map[string]string {

+	if len(in) == 0 {

+		return nil

+	}

+	out := make(map[string]string, len(in))

+	for k, v := range in {

+		out[k] = v

+	}

+	return out

+}

+

+	values       []string

+	replacer     *strings.Replacer

+	tail         string

+	replacements uint64

+	s.replacements += countReplacements(emit, s.values)

+	s.replacements += countReplacements(tail, s.values)

+func (s *Scrubber) Replacements() uint64 {

+	if s == nil {

+		return 0

+	}

+	return s.replacements

+}

+

+func countReplacements(input string, values []string) uint64 {

+	var count uint64

+	rest := input

+	for rest != "" {

+		bestAt := -1

+		best := ""

+		for _, value := range values {

+			at := strings.Index(rest, value)

+			if at < 0 {

+				continue

+			}

+			if bestAt == -1 || at < bestAt || (at == bestAt && len(value) > len(best)) {

+				bestAt = at

+				best = value

+			}

+		}

+		if bestAt == -1 {

+			return count

+		}

+		count++

+		rest = rest[bestAt+len(best):]

+	}

+	return count

+}

+

+	if s.Replacements() != 2 {

+		t.Fatalf("replacements: got %d, want 2", s.Replacements())

+	}

+	if s.Replacements() != 1 {

+		t.Fatalf("replacements: got %d, want 1", s.Replacements())

+	}

+	secretBox *secretbox.Box,

+		SecretBox:   secretBox,

+	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"

+	SecretBox   *secretbox.Box

+	"sort"

+	"github.com/tenseleyFlow/shithub/internal/actions/secrets"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/runner/scrub"

+	resolvedSecrets, err := h.resolveVisibleSecrets(r.Context(), job.RepoID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "runner secret resolution failed", "repo_id", job.RepoID, "job_id", job.ID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "runner secret resolution failed")

+		return

+	}

+	writeJSON(w, http.StatusOK, presentRunnerClaim(job, steps, resolvedSecrets, token, time.Unix(claims.Exp, 0)))

+	values, err := h.logMaskValues(r.Context(), auth.Claims.RepoID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "runner log mask resolution failed", "repo_id", auth.Claims.RepoID, "job_id", auth.Claims.JobID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "log mask resolution failed")

+		return

+	}

+	if err := h.appendScrubbedLogChunk(r.Context(), stepID, body.Seq, chunk, values); err != nil {

+func (h *Handlers) resolveVisibleSecrets(ctx context.Context, repoID int64) (map[string]string, error) {

+	if h.d.SecretBox == nil {

+		return nil, nil

+	}

+	repo, err := reposdb.New().GetRepoByID(ctx, h.d.Pool, repoID)

+	if err != nil {

+		return nil, err

+	}

+	store := secrets.Deps{Pool: h.d.Pool, Box: h.d.SecretBox, Logger: h.d.Logger}

+	out := map[string]string{}

+	if repo.OwnerOrgID.Valid {

+		if err := h.mergeSecrets(ctx, store, secrets.OrgScope(repo.OwnerOrgID.Int64), out); err != nil {

+			return nil, err

+		}

+	}

+	if err := h.mergeSecrets(ctx, store, secrets.RepoScope(repo.ID), out); err != nil {

+		return nil, err

+	}

+	if len(out) == 0 {

+		return nil, nil

+	}

+	return out, nil

+}

+

+func (h *Handlers) mergeSecrets(ctx context.Context, store secrets.Deps, scope secrets.Scope, out map[string]string) error {

+	items, err := store.List(ctx, scope)

+	if err != nil {

+		return err

+	}

+	for _, item := range items {

+		plaintext, err := store.Get(ctx, scope, item.Name)

+		if err != nil {

+			return err

+		}

+		out[item.Name] = string(plaintext)

+	}

+	return nil

+}

+

+func (h *Handlers) logMaskValues(ctx context.Context, repoID int64) ([]string, error) {

+	resolved, err := h.resolveVisibleSecrets(ctx, repoID)

+	if err != nil {

+		return nil, err

+	}

+	return secretMaskValues(resolved), nil

+}

+

+func secretMaskValues(resolved map[string]string) []string {

+	if len(resolved) == 0 {

+		return nil

+	}

+	values := make([]string, 0, len(resolved))

+	for _, value := range resolved {

+		values = append(values, value)

+	}

+	sort.Strings(values)

+	return values

+}

+

+func cloneStringMap(in map[string]string) map[string]string {

+	if len(in) == 0 {

+		return nil

+	}

+	out := make(map[string]string, len(in))

+	for k, v := range in {

+		out[k] = v

+	}

+	return out

+}

+

+func (h *Handlers) appendScrubbedLogChunk(ctx context.Context, stepID int64, seq int32, chunk []byte, values []string) error {

+	q := actionsdb.New()

+	if len(values) == 0 {

+		_, err := q.AppendStepLogChunk(ctx, h.d.Pool, actionsdb.AppendStepLogChunkParams{

+			StepID: stepID,

+			Seq:    seq,

+			Chunk:  chunk,

+		})

+		if errors.Is(err, pgx.ErrNoRows) {

+			return nil

+		}

+		return err

+	}

+

+	tx, err := h.d.Pool.Begin(ctx)

+	if err != nil {

+		return err

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	if _, err := q.GetStepLogChunkByStepSeq(ctx, tx, actionsdb.GetStepLogChunkByStepSeqParams{

+		StepID: stepID,

+		Seq:    seq,

+	}); err == nil {

+		if err := tx.Commit(ctx); err != nil {

+			return err

+		}

+		committed = true

+		return nil

+	} else if !errors.Is(err, pgx.ErrNoRows) {

+		return err

+	}

+

+	var replacements uint64

+	prev, err := q.GetStepLogChunkBefore(ctx, tx, actionsdb.GetStepLogChunkBeforeParams{

+		StepID: stepID,

+		Seq:    seq,

+	})

+	if err == nil {

+		if carry := scrubCarryLen(prev.Chunk, values); carry > 0 {

+			prefix := append([]byte(nil), prev.Chunk[:len(prev.Chunk)-carry]...)

+			combined := append(append([]byte(nil), prev.Chunk[len(prev.Chunk)-carry:]...), chunk...)

+			chunk, replacements = scrubChunk(combined, values)

+			if err := q.UpdateStepLogChunk(ctx, tx, actionsdb.UpdateStepLogChunkParams{

+				ID:    prev.ID,

+				Chunk: prefix,

+			}); err != nil {

+				return err

+			}

+		} else {

+			chunk, replacements = scrubChunk(chunk, values)

+		}

+	} else if errors.Is(err, pgx.ErrNoRows) {

+		chunk, replacements = scrubChunk(chunk, values)

+	} else {

+		return err

+	}

+

+	if _, err := q.AppendStepLogChunk(ctx, tx, actionsdb.AppendStepLogChunkParams{

+		StepID: stepID,

+		Seq:    seq,

+		Chunk:  chunk,

+	}); err != nil && !errors.Is(err, pgx.ErrNoRows) {

+		return err

+	}

+	if err := tx.Commit(ctx); err != nil {

+		return err

+	}

+	committed = true

+	if replacements > 0 {

+		metrics.ActionsLogScrubReplacementsTotal.WithLabelValues("server").Add(float64(replacements))

+	}

+	return nil

+}

+

+func scrubChunk(chunk []byte, values []string) ([]byte, uint64) {

+	if len(values) == 0 {

+		return chunk, 0

+	}

+	s := scrub.New(values)

+	out := s.Scrub(chunk)

+	return append(out, s.Flush()...), s.Replacements()

+}

+

+func scrubCarryLen(chunk []byte, values []string) int {

+	if len(chunk) == 0 || len(values) == 0 {

+		return 0

+	}

+	text := string(chunk)

+	keep := 0

+	for _, value := range values {

+		if value == "" {

+			continue

+		}

+		max := len(value) - 1

+		if max > len(text) {

+			max = len(text)

+		}

+		for n := max; n > keep; n-- {

+			if strings.HasSuffix(text, value[:n]) {

+				keep = n

+				break

+			}

+		}

+	}

+	return keep

+}

+

+	ID             int64             `json:"id"`

+	RunID          int64             `json:"run_id"`

+	RepoID         int64             `json:"repo_id"`

+	RunIndex       int64             `json:"run_index"`

+	WorkflowFile   string            `json:"workflow_file"`

+	WorkflowName   string            `json:"workflow_name"`

+	HeadSHA        string            `json:"head_sha"`

+	HeadRef        string            `json:"head_ref"`

+	Event          string            `json:"event"`

+	EventPayload   json.RawMessage   `json:"event_payload"`

+	JobKey         string            `json:"job_key"`

+	JobName        string            `json:"job_name"`

+	RunsOn         string            `json:"runs_on"`

+	Needs          []string          `json:"needs"`

+	If             string            `json:"if"`

+	TimeoutMinutes int32             `json:"timeout_minutes"`

+	Permissions    json.RawMessage   `json:"permissions"`

+	Secrets        map[string]string `json:"secrets"`

+	MaskValues     []string          `json:"mask_values"`

+	Env            json.RawMessage   `json:"env"`

+	Steps          []runnerStep      `json:"steps"`

+	resolvedSecrets map[string]string,

+			Secrets:        cloneStringMap(resolvedSecrets),

+			MaskValues:     secretMaskValues(resolvedSecrets),

+	actionsecrets "github.com/tenseleyFlow/shithub/internal/actions/secrets"

+	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"

+func TestRunnerSecretsAreClaimedAndServerScrubsLogs(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	runID := enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+	box := testRunnerAPISecretBox(t)

+	if err := (actionsecrets.Deps{Pool: pool, Box: box}).Set(ctx, actionsecrets.RepoScope(repoID), "TOKEN", []byte("hunter2"), userID); err != nil {

+		t.Fatalf("Set secret: %v", err)

+	}

+

+	token, _ := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	signer := runnerAPISigner(t, time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC))

+	router := newRunnerAPIRouterWithSecretBox(t, pool, logger, signer, box)

+

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("heartbeat status: got %d, want 200; body=%s", rr.Code, rr.Body.String())

+	}

+	var claim struct {

+		Token string `json:"token"`

+		Job   struct {

+			ID         int64             `json:"id"`

+			RunID      int64             `json:"run_id"`

+			Secrets    map[string]string `json:"secrets"`

+			MaskValues []string          `json:"mask_values"`

+		} `json:"job"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &claim); err != nil {

+		t.Fatalf("decode claim: %v", err)

+	}

+	if claim.Job.RunID != runID || claim.Job.Secrets["TOKEN"] != "hunter2" || !containsString(claim.Job.MaskValues, "hunter2") {

+		t.Fatalf("claim did not include masked secret context: %+v", claim.Job)

+	}

+

+	rawLog := []byte("before hunter2 after\n")

+	logBody := fmt.Sprintf(`{"seq":0,"chunk":%q}`, base64.StdEncoding.EncodeToString(rawLog))

+	req = httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/v1/jobs/%d/logs", claim.Job.ID), strings.NewReader(logBody))

+	req.Header.Set("Authorization", "Bearer "+claim.Token)

+	rr = httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusAccepted {

+		t.Fatalf("logs status: got %d, want 202; body=%s", rr.Code, rr.Body.String())

+	}

+	step, err := actionsdb.New().GetFirstStepForJob(ctx, pool, claim.Job.ID)

+	if err != nil {

+		t.Fatalf("GetFirstStepForJob: %v", err)

+	}

+	chunks, err := actionsdb.New().ListStepLogChunks(ctx, pool, actionsdb.ListStepLogChunksParams{

+		StepID: step.ID,

+		Seq:    -1,

+		Limit:  10,

+	})

+	if err != nil {

+		t.Fatalf("ListStepLogChunks: %v", err)

+	}

+	if len(chunks) != 1 {

+		t.Fatalf("chunks: %#v", chunks)

+	}

+	got := string(chunks[0].Chunk)

+	if strings.Contains(got, "hunter2") || got != "before *** after\n" {

+		t.Fatalf("stored log chunk was not scrubbed: %q", got)

+	}

+}

+

+func TestRunnerServerScrubsSecretSplitAcrossLogPosts(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+	box := testRunnerAPISecretBox(t)

+	if err := (actionsecrets.Deps{Pool: pool, Box: box}).Set(ctx, actionsecrets.RepoScope(repoID), "TOKEN", []byte("hunter2"), userID); err != nil {

+		t.Fatalf("Set secret: %v", err)

+	}

+

+	token, _ := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	signer := runnerAPISigner(t, time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC))

+	router := newRunnerAPIRouterWithSecretBox(t, pool, logger, signer, box)

+

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("heartbeat status: got %d, want 200; body=%s", rr.Code, rr.Body.String())

+	}

+	var claim struct {

+		Token string `json:"token"`

+		Job   struct {

+			ID int64 `json:"id"`

+		} `json:"job"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &claim); err != nil {

+		t.Fatalf("decode claim: %v", err)

+	}

+

+	next := postRunnerLogChunk(t, router, claim.Job.ID, claim.Token, 0, []byte("before hun"))

+	next = postRunnerLogChunk(t, router, claim.Job.ID, next, 1, []byte("ter2 after\n"))

+

+	step, err := actionsdb.New().GetFirstStepForJob(ctx, pool, claim.Job.ID)

+	if err != nil {

+		t.Fatalf("GetFirstStepForJob: %v", err)

+	}

+	chunks, err := actionsdb.New().ListStepLogChunks(ctx, pool, actionsdb.ListStepLogChunksParams{

+		StepID: step.ID,

+		Seq:    -1,

+		Limit:  10,

+	})

+	if err != nil {

+		t.Fatalf("ListStepLogChunks: %v", err)

+	}

+	var combined strings.Builder

+	for _, chunk := range chunks {

+		combined.Write(chunk.Chunk)

+	}

+	got := combined.String()

+	if strings.Contains(got, "hunter2") || got != "before *** after\n" {

+		t.Fatalf("stored log chunks were not scrubbed across boundary: chunks=%#v combined=%q next=%q", chunks, got, next)

+	}

+}

+

+func postRunnerLogChunk(t *testing.T, router http.Handler, jobID int64, token string, seq int32, chunk []byte) string {

+	t.Helper()

+	body := fmt.Sprintf(`{"seq":%d,"chunk":%q}`, seq, base64.StdEncoding.EncodeToString(chunk))

+	req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/v1/jobs/%d/logs", jobID), strings.NewReader(body))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusAccepted {

+		t.Fatalf("logs status: got %d, want 202; body=%s", rr.Code, rr.Body.String())

+	}

+	var resp struct {

+		NextToken string `json:"next_token"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &resp); err != nil {

+		t.Fatalf("decode log response: %v", err)

+	}

+	if resp.NextToken == "" {

+		t.Fatalf("empty next token in log response: %s", rr.Body.String())

+	}

+	return resp.NextToken

+}

+