docs/actions: document runner token handoff and label diagnostics (S41j)

Status	File	+	-
M	`deploy/doctl/README.md`	16	0
M	`docs/internal/actions-ga-readiness.md`	1	1
M	`docs/internal/actions-runner-api.md`	10	3
M	`docs/internal/runbooks/actions-runner.md`	9	6
M	`docs/internal/runbooks/actions.md`	22	7
M	`docs/internal/runbooks/runner-deploy.md`	7	3
M	`docs/public/user/actions.md`	8	1

deploy/doctl/README.mdmodified

  Replace the generated token placeholders with per-host values from
  `shithubd admin runner register`, preferably through ansible-vault or host_vars.
++Generate one token per runner host:
++
++```sh
++shithubd admin runner register \
++  --name actions-runner-1 \
++  --labels self-hosted,linux,ubuntu-latest,x64 \
++  --capacity 1 \
++  --output json
++```
++
++Store the returned `token` in inventory/vault, not in shell history. Rotate by
++registering a replacement token, deploying it to the host, confirming heartbeat,
++then revoking the old runner token.
++Use `--expires-in` only when that rotation is automated before the token
++expires.
++
  Then run:
  ```sh

docs/internal/actions-ga-readiness.mdmodified


 
 For a production-like runner host, manually verify:
 
+1. Register a new runner with `self-hosted,linux,ubuntu-latest,x64`.
 2. Trigger `.shithub/workflows/checkout-canary.yml` on trunk.
 3. Confirm the run appears in the Actions tab and the check run completes.
 4. Confirm step logs stream while the job is running and finalize to object

docs/internal/actions-runner-api.mdmodified

  Operators register a runner with:
  ```sh
--shithubd admin runner register --name runner-1 --labels self-hosted,linux,ubuntu-latest
++shithubd admin runner register \
++  --name runner-1 \
++  --labels self-hosted,linux,ubuntu-latest,x64 \
++  --capacity 1 \
++  --output json
  ```
  The command inserts `workflow_runners`, stores only a SHA-256 hash in
--`runner_tokens`, and prints the 32-byte hex token once.
++`runner_tokens`, and returns the raw 32-byte hex token once.
++`--expires-in` is optional and should only be used when the deployment rotates
++the runner token before it expires, because the runner uses that same token for
++heartbeat authentication.
  `POST /api/v1/runners/heartbeat` accepts:
  Request body:
  ```json
--{"labels":["ubuntu-latest","linux"],"capacity":1}
++{"labels":["self-hosted","linux","ubuntu-latest","x64"],"capacity":1}
  ```
  Returns 204 when no matching job is claimable. Returns 200 with

docs/internal/runbooks/actions-runner.mdmodified

  ```sh
  shithubd admin runner register \
    --name runner-1 \
--  --labels self-hosted,linux,ubuntu-latest \
++  --labels self-hosted,linux,ubuntu-latest,x64 \
--  --capacity 1
++  --capacity 1 \
++  --output json
  ```
--Save the printed token:
++Save the returned token:
  ```sh
  export RUNNER_TOKEN='<printed-token>'
  shithubd-runner run \
    --server-url "$BASE" \
    --token "$RUNNER_TOKEN" \
--  --labels self-hosted,linux,ubuntu-latest \
++  --labels self-hosted,linux,ubuntu-latest,x64 \
    --workspace-root /var/lib/shithubd-runner/workspaces \
    --network shithub-actions \
    --dns-servers 172.30.0.1
  [runner]
  token = "<printed-token>"
--labels = ["self-hosted", "linux", "ubuntu-latest"]
++labels = ["self-hosted", "linux", "ubuntu-latest", "x64"]
  capacity = 1
  poll_interval = "5s"
  workspace_root = "/var/lib/shithubd-runner/workspaces"
  The config path defaults to `/etc/shithubd-runner/config.toml`.
  Environment variables use the `SHITHUB_RUNNER_` prefix, for example
  `SHITHUB_RUNNER_TOKEN` or `SHITHUB_RUNNER_SERVER__BASE_URL`.
++Use `--expires-in` only for tokens that your automation rotates before expiry;
++the runner presents its registration token on every heartbeat.
  The Ansible runner role creates the `shithub-actions` bridge, runs the
  allowlist resolver at `172.30.0.1`, and installs firewall rules that
  curl -fsS "$BASE/api/v1/runners/heartbeat" \
    -H "Authorization: Bearer $RUNNER_TOKEN" \
    -H "Content-Type: application/json" \
--  -d '{"labels":["self-hosted","linux","ubuntu-latest"],"capacity":1}' \
++  -d '{"labels":["self-hosted","linux","ubuntu-latest","x64"],"capacity":1}' \
    | tee /tmp/shithub-claim.json
  ```

docs/internal/runbooks/actions.mdmodified

  ```sh
  shithubd admin runner register \
    --name smoke-runner-1 \
--  --labels self-hosted,linux,ubuntu-latest \
++  --labels self-hosted,linux,ubuntu-latest,x64 \
--  --capacity 1
++  --capacity 1 \
++  --output json
  ```
--3. Start `shithubd-runner` with the printed token. For production hosts, use
++3. Start `shithubd-runner` with the returned token. For production hosts, use
--   the Ansible/systemd path in [runner-deploy.md](./runner-deploy.md).
++   one token per host and store it in ansible-vault, host vars, or the deployment
++   secret store. The role writes `/etc/shithubd-runner/config.toml` with
++   restrictive permissions. Use `--expires-in` only when the automation rotates
++   the runner token before that deadline; the current runner uses the
++   registration token for every heartbeat.
 . Push a `run:`-only workflow:
  ```yaml
  shithubd admin actions runner list
  ```
++Inspect queued jobs by requested `runs-on` label:
++
++```sh
++shithubd admin runner queue
++shithubd admin runner queue --output json
++```
++
  Important metrics:
  - `shithub_actions_queue_depth{resource="runs|jobs"}`
  - `SHITHUB_ACTIONS_VUS=50` controls concurrent virtual users.
  - `SHITHUB_ACTIONS_DURATION=10m` controls the steady-state window.
--- `SHITHUB_RUNNER_LABELS=self-hosted,linux,ubuntu-latest` sets heartbeat
++- `SHITHUB_RUNNER_LABELS=self-hosted,linux,ubuntu-latest,x64` sets heartbeat
    labels.
  - `SHITHUB_RUNNER_CAPACITY=17` keeps three runners near the 50-concurrent
    target.
  - **Run never appears:** confirm the workflow file is under
    `.shithub/workflows/`, parse it with `shithubd admin actions parse <file>`,
    and verify the trigger event matches `on:`.
--- **Run stays queued:** confirm a runner is registered with matching labels and
++- **Run stays queued:** open the run page to see the requested runner labels,
--  capacity, then inspect runner journal output and heartbeat metrics.
++  then run `shithubd admin runner queue` and confirm a live runner is registered
++  with matching labels and capacity. Unsupported hosted labels such as
++  `windows-latest` and `macos-latest` intentionally remain queued until an
++  operator registers matching runners.
  - **Step logs buffer:** verify the Caddy route above and confirm the SSE route
    is still mounted outside compression and short timeouts.
  - **`actions/checkout@v4` fails:** confirm the job is still running, the repo

docs/internal/runbooks/runner-deploy.mdmodified

  shithubd admin runner register \
    --name prod-runner-1 \
    --labels self-hosted,linux,ubuntu-latest,x64 \
--  --capacity 1
++  --capacity 1 \
++  --output json
  ```
--Store the printed token in ansible-vault or the deployment secret store.
++Store the returned `token` in ansible-vault or the deployment secret store.
  Only the token hash is stored in Postgres; the raw token cannot be
  recovered later.
++Use `--expires-in` only when the deployment rotates the token before expiry,
++because the runner presents the registration token on every heartbeat.
  For a generated DigitalOcean inventory, register one token per runner host and
  use the host name as the runner name:
  shithubd admin runner register \
    --name shithub-runner-shared-linux-1 \
    --labels self-hosted,linux,ubuntu-latest,x64 \
--  --capacity 1
++  --capacity 1 \
++  --output json
  ```
  ## Inventory

docs/public/user/actions.mdmodified

  `runs-on: ubuntu-latest` is a runner label, not a promise that shithub downloads
  a hosted Ubuntu image for you. The site operator decides which image a matching
--runner uses. On shithub.sh, use the labels published by the instance operator.
++runner uses. On shithub.sh, the shared Linux pool advertises
++`self-hosted`, `linux`, `ubuntu-latest`, and `x64`.
++
++If a run stays queued, the run page shows the requested label set, for example
++`Waiting for runner with labels: windows-latest`. That means no currently
++registered runner can claim the job.
  ## Current limit
  2. Keep `actions/checkout@v4`, but replace marketplace and artifact `uses:`
     actions with equivalent `run:` commands for now.
  3. Confirm `runs-on:` matches a label registered by your shithub operator.
++   The default shithub.sh shared label for ordinary Linux CI is
++   `ubuntu-latest`.
  Marketplace actions, Docker actions, composite actions, hosted runner images,
  matrix expansion, service containers, submodules, LFS, and artifact transfer

`@@ -79,7 +79,7 @@` go test -trimpath ./internal/actions/... ./internal/auth/runnerjwt ./internal/ru
79		79
80	For a production-like runner host, manually verify:	80	For a production-like runner host, manually verify:
81		81
82	-1. Register a new runner with `self-hosted,linux,ubuntu-latest`.	82	+1. Register a new runner with `self-hosted,linux,ubuntu-latest,x64`.
83	2. Trigger `.shithub/workflows/checkout-canary.yml` on trunk.	83	2. Trigger `.shithub/workflows/checkout-canary.yml` on trunk.
84	3. Confirm the run appears in the Actions tab and the check run completes.	84	3. Confirm the run appears in the Actions tab and the check run completes.
85	4. Confirm step logs stream while the job is running and finalize to object	85	4. Confirm step logs stream while the job is running and finalize to object

tenseleyflow/shithub / `1945c79`

7 changed files