tenseleyflow/shithub / 1fba1c8

+    @compressible {

+        not path_regexp actions_log_stream_for_compression ^/[^/]+/[^/]+/actions/runs/[0-9]+/jobs/[0-9]+/steps/[0-9]+/log/stream$

+    }

+    encode @compressible gzip

+

+    # Actions step-log SSE must flush each event immediately and must

+    # bypass gzip; buffering here makes logs appear in delayed chunks.

+    @actions_log_stream path_regexp actions_log_stream ^/[^/]+/[^/]+/actions/runs/[0-9]+/jobs/[0-9]+/steps/[0-9]+/log/stream$

+    handle @actions_log_stream {

+        reverse_proxy 127.0.0.1:8080 {

+            transport http {

+                read_timeout 30m

+                write_timeout 30m

+                response_header_timeout 30m

+            }

+            flush_interval -1

+        }

+    }

+# Actions runbook

+

+## Live log tail

+

+Step log pages open an SSE stream at:

+

+```text

+/{owner}/{repo}/actions/runs/{run}/jobs/{job}/steps/{step}/log/stream

+```

+

+The stream sends `event: chunk` records with the chunk sequence as the SSE

+`id`. Browsers reconnect with `Last-Event-ID`; the handler also accepts

+`?after=<seq>` for the first connection from a rendered log page. A terminal

+step sends `event: done` and closes the stream.

+

+Log chunks are never sent through Postgres `NOTIFY`. Runner log writes append

+to `workflow_step_log_chunks`, then `NOTIFY step_log_<step_id>` with only the

+sequence number. Step completion notifies `done`.

+

+## Rate limit

+

+Live tails use `internal/ratelimit` scope `actions:logtail` with five

+concurrent streams per viewer. Authenticated viewers key by user id; anonymous

+public-repo viewers key by client IP. The limiter uses a short lease TTL so a

+dropped connection cannot hold a slot permanently.

+

+## Caddy

+

+The production Caddy template has a dedicated Actions log-stream route with:

+

+```caddy

+flush_interval -1

+```

+

+The same route is excluded from gzip compression. If logs arrive only after

+several kilobytes accumulate, verify the deployed `/etc/caddy/Caddyfile`

+contains that route and reload Caddy:

+

+```sh

+sudo caddy reload --config /etc/caddy/Caddyfile

+```

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package logstream owns the small Postgres LISTEN/NOTIFY contract used by

+// Actions step-log live tailing. NOTIFY payloads intentionally carry only the

+// chunk sequence or terminal marker; the SSE handler reads chunk bytes from

+// workflow_step_log_chunks so verbose logs never hit Postgres's payload cap.

+package logstream

+

+import (

+	"context"

+	"strconv"

+	"strings"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgconn"

+)

+

+const donePayload = "done"

+

+// DBTX is the Exec-only subset shared by pgxpool.Pool and pgx.Tx.

+type DBTX interface {

+	Exec(context.Context, string, ...interface{}) (pgconn.CommandTag, error)

+}

+

+// Channel returns the per-step NOTIFY channel. stepID comes from postgres, so

+// the numeric suffix is stable and safe to expose as a channel component.

+func Channel(stepID int64) string {

+	return "step_log_" + strconv.FormatInt(stepID, 10)

+}

+

+// ListenSQL returns a quoted LISTEN statement for the per-step channel.

+func ListenSQL(stepID int64) string {

+	return "LISTEN " + pgx.Identifier{Channel(stepID)}.Sanitize()

+}

+

+// NotifyChunk wakes log tailers for a newly-persisted chunk.

+func NotifyChunk(ctx context.Context, db DBTX, stepID int64, seq int32) error {

+	return notify(ctx, db, stepID, strconv.FormatInt(int64(seq), 10))

+}

+

+// NotifyDone wakes log tailers and tells them to send the final done event.

+func NotifyDone(ctx context.Context, db DBTX, stepID int64) error {

+	return notify(ctx, db, stepID, donePayload)

+}

+

+// ParsePayload parses the NOTIFY payload.

+func ParsePayload(payload string) (seq int32, done bool, ok bool) {

+	payload = strings.TrimSpace(payload)

+	if payload == donePayload {

+		return 0, true, true

+	}

+	n, err := strconv.ParseInt(payload, 10, 32)

+	if err != nil || n < 0 {

+		return 0, false, false

+	}

+	return int32(n), false, true

+}

+

+func notify(ctx context.Context, db DBTX, stepID int64, payload string) error {

+	_, err := db.Exec(ctx, "SELECT pg_notify($1, $2)", Channel(stepID), payload)

+	return err

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package logstream

+

+import "testing"

+

+func TestChannelAndListenSQL(t *testing.T) {

+	t.Parallel()

+	if got := Channel(42); got != "step_log_42" {

+		t.Fatalf("Channel=%q", got)

+	}

+	if got := ListenSQL(42); got != `LISTEN "step_log_42"` {

+		t.Fatalf("ListenSQL=%q", got)

+	}

+}

+

+func TestParsePayload(t *testing.T) {

+	t.Parallel()

+	tests := []struct {

+		name     string

+		payload  string

+		wantSeq  int32

+		wantDone bool

+		wantOK   bool

+	}{

+		{name: "chunk", payload: "7", wantSeq: 7, wantOK: true},

+		{name: "done", payload: "done", wantDone: true, wantOK: true},

+		{name: "trim", payload: " 8 ", wantSeq: 8, wantOK: true},

+		{name: "negative", payload: "-1"},

+		{name: "invalid", payload: "chunk:1"},

+	}

+	for _, tt := range tests {

+		t.Run(tt.name, func(t *testing.T) {

+			t.Parallel()

+			gotSeq, gotDone, gotOK := ParsePayload(tt.payload)

+			if gotSeq != tt.wantSeq || gotDone != tt.wantDone || gotOK != tt.wantOK {

+				t.Fatalf("ParsePayload(%q)=(%d,%v,%v)", tt.payload, gotSeq, gotDone, gotOK)

+			}

+		})

+	}

+}

+	"sync/atomic"

+	"github.com/jackc/pgx/v5"

+// Lease represents one held concurrent slot. Release is idempotent.

+type Lease struct {

+	limiter  *Limiter

+	policy   Policy

+	key      string

+	released atomic.Bool

+}

+

+// AcquireLease holds one concurrent slot for long-lived requests such as SSE

+// streams. Callers must Release when the request exits. Policy.Window is the

+// stale-lease TTL: it bounds leak duration if a process exits without release.

+//

+// Like Allow, transient Postgres errors fail open. The returned lease is nil in

+// that case, so callers can continue without a release hook while still logging

+// the error.

+func (l *Limiter) AcquireLease(ctx context.Context, p Policy, key string) (*Lease, Decision, error) {

+	if p.Max <= 0 || p.Window <= 0 {

+		return nil, Decision{}, errors.New("ratelimit: Policy.Max and Window must be positive")

+	}

+	if p.Scope == "" || key == "" {

+		return nil, Decision{}, errors.New("ratelimit: Policy.Scope and key must be non-empty")

+	}

+	row, err := l.q.AcquireRateLimitLease(ctx, l.pool, ratelimitdb.AcquireRateLimitLeaseParams{

+		Scope:   p.Scope,

+		Key:     key,

+		Ttl:     pgtype.Interval{Microseconds: int64(p.Window / time.Microsecond), Valid: true},

+		MaxHits: int32(p.Max),

+	})

+	if errors.Is(err, pgx.ErrNoRows) {

+		return nil, l.blockedLeaseDecision(ctx, p, key), nil

+	}

+	if err != nil {

+		return nil, Decision{Allowed: true, Remaining: p.Max, Limit: p.Max, ResetIn: p.Window}, fmt.Errorf("ratelimit: acquire lease: %w", err)

+	}

+	hits := int(row.Hits)

+	resetIn := time.Until(row.WindowStartedAt.Time.Add(p.Window))

+	if resetIn < 0 {

+		resetIn = 0

+	}

+	return &Lease{limiter: l, policy: p, key: key}, Decision{

+		Allowed:   true,

+		Limit:     p.Max,

+		Remaining: max0(p.Max - hits),

+		ResetIn:   resetIn,

+	}, nil

+}

+

+// Release returns the held slot to the limiter. It is safe to call multiple

+// times; only the first call touches postgres.

+func (l *Lease) Release(ctx context.Context) error {

+	if l == nil || l.limiter == nil {

+		return nil

+	}

+	if !l.released.CompareAndSwap(false, true) {

+		return nil

+	}

+	_, err := l.limiter.q.ReleaseRateLimitLease(ctx, l.limiter.pool, ratelimitdb.ReleaseRateLimitLeaseParams{

+		Scope: l.policy.Scope,

+		Key:   l.key,

+	})

+	if err != nil {

+		return fmt.Errorf("ratelimit: release lease: %w", err)

+	}

+	return nil

+}

+

+func (l *Limiter) blockedLeaseDecision(ctx context.Context, p Policy, key string) Decision {

+	resetIn := p.Window

+	if row, err := l.q.PeekRateLimit(ctx, l.pool, ratelimitdb.PeekRateLimitParams{Scope: p.Scope, Key: key}); err == nil {

+		resetIn = time.Until(row.WindowStartedAt.Time.Add(p.Window))

+		if resetIn <= 0 {

+			resetIn = time.Second

+		}

+	}

+	return Decision{

+		Allowed:    false,

+		Limit:      p.Max,

+		Remaining:  0,

+		ResetIn:    resetIn,

+		RetryAfter: resetIn,

+	}

+}

+

+func TestAcquireLease_BlocksUntilRelease(t *testing.T) {

+	t.Parallel()

+	l := New(dbtest.NewTestDB(t))

+	ctx := context.Background()

+	p := Policy{Scope: "test:lease", Max: 2, Window: time.Hour}

+

+	lease1, d, err := l.AcquireLease(ctx, p, "alice")

+	if err != nil {

+		t.Fatalf("lease1 err: %v", err)

+	}

+	if !d.Allowed || d.Remaining != 1 {

+		t.Fatalf("lease1 decision=%+v", d)

+	}

+	lease2, d, err := l.AcquireLease(ctx, p, "alice")

+	if err != nil {

+		t.Fatalf("lease2 err: %v", err)

+	}

+	if !d.Allowed || d.Remaining != 0 {

+		t.Fatalf("lease2 decision=%+v", d)

+	}

+	lease3, d, err := l.AcquireLease(ctx, p, "alice")

+	if err != nil {

+		t.Fatalf("lease3 err: %v", err)

+	}

+	if lease3 != nil || d.Allowed {

+		t.Fatalf("lease3=(%v,%+v), want blocked without lease", lease3, d)

+	}

+	if err := lease1.Release(ctx); err != nil {

+		t.Fatalf("release lease1: %v", err)

+	}

+	lease4, d, err := l.AcquireLease(ctx, p, "alice")

+	if err != nil {

+		t.Fatalf("lease4 err: %v", err)

+	}

+	if lease4 == nil || !d.Allowed {

+		t.Fatalf("lease4=(%v,%+v), want allowed", lease4, d)

+	}

+	if err := lease1.Release(ctx); err != nil {

+		t.Fatalf("second release lease1: %v", err)

+	}

+	_ = lease2.Release(ctx)

+	_ = lease4.Release(ctx)

+}

+

+func TestAcquireLease_RollsStaleWindow(t *testing.T) {

+	t.Parallel()

+	l := New(dbtest.NewTestDB(t))

+	ctx := context.Background()

+	p := Policy{Scope: "test:lease:ttl", Max: 1, Window: time.Millisecond}

+

+	lease1, d, err := l.AcquireLease(ctx, p, "alice")

+	if err != nil {

+		t.Fatalf("lease1 err: %v", err)

+	}

+	if !d.Allowed {

+		t.Fatalf("lease1 blocked: %+v", d)

+	}

+	time.Sleep(5 * time.Millisecond)

+	lease2, d, err := l.AcquireLease(ctx, p, "alice")

+	if err != nil {

+		t.Fatalf("lease2 err: %v", err)

+	}

+	if lease2 == nil || !d.Allowed {

+		t.Fatalf("stale lease did not roll forward: lease=%v decision=%+v", lease2, d)

+	}

+	_ = lease1.Release(ctx)

+	_ = lease2.Release(ctx)

+}

+

+-- name: AcquireRateLimitLease :one

+-- Concurrent-lease variant for long-lived streams. `hits` is the

+-- currently-held lease count. The ttl rolls stale rows forward so a process

+-- crash or severed TCP connection cannot consume capacity indefinitely.

+INSERT INTO rate_limits (scope, key, hits, window_started_at)

+VALUES (sqlc.arg(scope), sqlc.arg(key), 1, now())

+ON CONFLICT (scope, key)

+DO UPDATE SET

+    hits              = CASE

+                          WHEN rate_limits.window_started_at < now() - sqlc.arg(ttl)::interval

+                          THEN 1

+                          ELSE rate_limits.hits + 1

+                        END,

+    window_started_at = CASE

+                          WHEN rate_limits.window_started_at < now() - sqlc.arg(ttl)::interval

+                          THEN now()

+                          ELSE rate_limits.window_started_at

+                        END

+WHERE rate_limits.window_started_at < now() - sqlc.arg(ttl)::interval

+   OR rate_limits.hits < sqlc.arg(max_hits)::integer

+RETURNING hits, window_started_at;

+

+-- name: ReleaseRateLimitLease :execrows

+UPDATE rate_limits

+SET hits = GREATEST(hits - 1, 0)

+WHERE scope = $1 AND key = $2;

+

+	// Concurrent-lease variant for long-lived streams. `hits` is the

+	// currently-held lease count. The ttl rolls stale rows forward so a process

+	// crash or severed TCP connection cannot consume capacity indefinitely.

+	AcquireRateLimitLease(ctx context.Context, db DBTX, arg AcquireRateLimitLeaseParams) (AcquireRateLimitLeaseRow, error)

+	ReleaseRateLimitLease(ctx context.Context, db DBTX, arg ReleaseRateLimitLeaseParams) (int64, error)

+const acquireRateLimitLease = `-- name: AcquireRateLimitLease :one

+INSERT INTO rate_limits (scope, key, hits, window_started_at)

+VALUES ($1, $2, 1, now())

+ON CONFLICT (scope, key)

+DO UPDATE SET

+    hits              = CASE

+                          WHEN rate_limits.window_started_at < now() - $3::interval

+                          THEN 1

+                          ELSE rate_limits.hits + 1

+                        END,

+    window_started_at = CASE

+                          WHEN rate_limits.window_started_at < now() - $3::interval

+                          THEN now()

+                          ELSE rate_limits.window_started_at

+                        END

+WHERE rate_limits.window_started_at < now() - $3::interval

+   OR rate_limits.hits < $4::integer

+RETURNING hits, window_started_at

+`

+

+type AcquireRateLimitLeaseParams struct {

+	Scope   string

+	Key     string

+	Ttl     pgtype.Interval

+	MaxHits int32

+}

+

+type AcquireRateLimitLeaseRow struct {

+	Hits            int32

+	WindowStartedAt pgtype.Timestamptz

+}

+

+// Concurrent-lease variant for long-lived streams. `hits` is the

+// currently-held lease count. The ttl rolls stale rows forward so a process

+// crash or severed TCP connection cannot consume capacity indefinitely.

+func (q *Queries) AcquireRateLimitLease(ctx context.Context, db DBTX, arg AcquireRateLimitLeaseParams) (AcquireRateLimitLeaseRow, error) {

+	row := db.QueryRow(ctx, acquireRateLimitLease,

+		arg.Scope,

+		arg.Key,

+		arg.Ttl,

+		arg.MaxHits,

+	)

+	var i AcquireRateLimitLeaseRow

+	err := row.Scan(&i.Hits, &i.WindowStartedAt)

+	return i, err

+}

+

+

+const releaseRateLimitLease = `-- name: ReleaseRateLimitLease :execrows

+UPDATE rate_limits

+SET hits = GREATEST(hits - 1, 0)

+WHERE scope = $1 AND key = $2

+`

+

+type ReleaseRateLimitLeaseParams struct {

+	Scope string

+	Key   string

+}

+

+func (q *Queries) ReleaseRateLimitLease(ctx context.Context, db DBTX, arg ReleaseRateLimitLeaseParams) (int64, error) {

+	result, err := db.Exec(ctx, releaseRateLimitLease, arg.Scope, arg.Key)

+	if err != nil {

+		return 0, err

+	}

+	return result.RowsAffected(), nil

+}

+	"github.com/tenseleyFlow/shithub/internal/actions/logstream"

+	if terminal {

+		if err := logstream.NotifyDone(ctx, tx, step.ID); err != nil {

+			return actionsdb.WorkflowStep{}, err

+		}

+	}

+		row, err := q.AppendStepLogChunk(ctx, h.d.Pool, actionsdb.AppendStepLogChunkParams{

+		if err != nil {

+			return err

+		}

+		return logstream.NotifyChunk(ctx, h.d.Pool, stepID, row.Seq)

+	row, err := q.AppendStepLogChunk(ctx, tx, actionsdb.AppendStepLogChunkParams{

+	})

+	switch {

+	case err == nil:

+		if err := logstream.NotifyChunk(ctx, tx, stepID, row.Seq); err != nil {

+			return err

+		}

+	case errors.Is(err, pgx.ErrNoRows):

+	default:

+	IsTerminal   bool

+	StreamHref   string

+	dispatchWorkflows, err := h.actionsDispatchWorkflowViews(r.Context(), row, owner.Username)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: discover dispatch workflows", "repo_id", row.ID, "error", err)

+	}

+	data["DispatchWorkflows"] = dispatchWorkflows

+	if !step.IsTerminal && logContent.Error == "" && logContent.DownloadURL == "" {

+		view.StreamHref = step.LogHref + "/log/stream?after=" + strconv.FormatInt(int64(logContent.LastSeq), 10)

+	}

+		IsTerminal:   workflowStepTerminal(row.Status),

+func workflowStepTerminal(status actionsdb.WorkflowStepStatus) bool {

+	return status == actionsdb.WorkflowStepStatusCompleted ||

+		status == actionsdb.WorkflowStepStatusCancelled ||

+		status == actionsdb.WorkflowStepStatusSkipped

+}

+

+	LastSeq     int32

+	lastSeq := int32(-1)

+		lastSeq = chunk.Seq

+		LastSeq:   lastSeq,

+	"mime"

+	"net/url"

+	req, formPost, ok := h.parseDispatchRequest(w, r)

+	if !ok {

+	inputs, err := normalizeDispatchInputs(req.Inputs, wf.On.WorkflowDispatch.Inputs)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, err.Error())

+		return

+	}

+	payload := actionsevent.WorkflowDispatch(inputs)

+	if formPost {

+		redirectTo := "/" + owner.Username + "/" + row.Name + "/actions?workflow=" + url.QueryEscape(file) + "&event=workflow_dispatch"

+		http.Redirect(w, r, redirectTo, http.StatusSeeOther)

+		return

+	}

+func (h *Handlers) parseDispatchRequest(w http.ResponseWriter, r *http.Request) (dispatchRequest, bool, bool) {

+	if mediaType := dispatchFormMediaType(r); mediaType != "" {

+		r.Body = http.MaxBytesReader(w, r.Body, dispatchMaxBody)

+		if err := r.ParseForm(); err != nil {

+			h.d.Render.HTTPError(w, r, http.StatusBadRequest, "invalid form body: "+err.Error())

+			return dispatchRequest{}, true, false

+		}

+		return dispatchRequest{

+			Ref:    strings.TrimSpace(r.PostFormValue("ref")),

+			Inputs: dispatchInputsFromForm(r.PostForm),

+		}, true, true

+	}

+

+	body, err := io.ReadAll(io.LimitReader(r.Body, dispatchMaxBody+1))

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "read body: "+err.Error())

+		return dispatchRequest{}, false, false

+	}

+	if len(body) > dispatchMaxBody {

+		h.d.Render.HTTPError(w, r, http.StatusRequestEntityTooLarge, "body exceeds 64 KiB")

+		return dispatchRequest{}, false, false

+	}

+	var req dispatchRequest

+	if len(body) > 0 {

+		if err := json.Unmarshal(body, &req); err != nil {

+			h.d.Render.HTTPError(w, r, http.StatusBadRequest, "invalid JSON body: "+err.Error())

+			return dispatchRequest{}, false, false

+		}

+	}

+	return req, false, true

+}

+

+func dispatchFormMediaType(r *http.Request) string {

+	mediaType, _, err := mime.ParseMediaType(r.Header.Get("Content-Type"))

+	if err != nil {

+		return ""

+	}

+	switch mediaType {

+	case "application/x-www-form-urlencoded":

+		return mediaType

+	default:

+		return ""

+	}

+}

+

+func dispatchInputsFromForm(values url.Values) map[string]string {

+	inputs := make(map[string]string)

+	for key, vals := range values {

+		name, ok := strings.CutPrefix(key, "inputs.")

+		if !ok || name == "" || len(vals) == 0 {

+			continue

+		}

+		inputs[name] = vals[len(vals)-1]

+	}

+	if len(inputs) == 0 {

+		return nil

+	}

+	return inputs

+}

+

+func normalizeDispatchInputs(raw map[string]string, specs []workflow.DispatchInput) (map[string]string, error) {

+	if raw == nil {

+		raw = map[string]string{}

+	}

+	known := make(map[string]workflow.DispatchInput, len(specs))

+	for _, spec := range specs {

+		known[spec.Name] = spec

+	}

+	for name := range raw {

+		if _, ok := known[name]; !ok {

+			return nil, fmt.Errorf("unknown workflow_dispatch input %q", name)

+		}

+	}

+

+	out := make(map[string]string, len(specs))

+	for _, spec := range specs {

+		value, provided := raw[spec.Name]

+		if !provided || value == "" {

+			value = spec.Default

+		}

+		if spec.Type == "boolean" && !provided && value == "" {

+			value = "false"

+		}

+		if spec.Required && spec.Type != "boolean" && strings.TrimSpace(value) == "" {

+			return nil, fmt.Errorf("workflow_dispatch input %q is required", spec.Name)

+		}

+		switch spec.Type {

+		case "boolean":

+			if value != "true" && value != "false" {

+				return nil, fmt.Errorf("workflow_dispatch input %q must be true or false", spec.Name)

+			}

+		case "choice":

+			if value != "" && !dispatchChoiceAllowed(value, spec.Options) {

+				return nil, fmt.Errorf("workflow_dispatch input %q must be one of the declared options", spec.Name)

+			}

+		}

+		if value != "" || spec.Type == "boolean" {

+			out[spec.Name] = value

+		}

+	}

+	if len(out) == 0 {

+		return nil, nil

+	}

+	return out, nil

+}

+

+func dispatchChoiceAllowed(value string, options []string) bool {

+	for _, option := range options {

+		if value == option {

+			return true

+		}

+	}

+	return false

+}

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"context"

+	"errors"

+	"net/url"

+	"os"

+	"path"

+	"sort"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/trigger"

+	"github.com/tenseleyFlow/shithub/internal/actions/workflow"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+type actionsDispatchWorkflowView struct {

+	File         string

+	Name         string

+	DispatchHref string

+	Inputs       []actionsDispatchInputView

+}

+

+type actionsDispatchInputView struct {

+	Name        string

+	Description string

+	Type        string

+	Default     string

+	Required    bool

+	IsBoolean   bool

+	IsChoice    bool

+	Options     []actionsDispatchOptionView

+}

+

+type actionsDispatchOptionView struct {

+	Value    string

+	Selected bool

+}

+

+func (h *Handlers) actionsDispatchWorkflowViews(ctx context.Context, row reposdb.Repo, owner string) ([]actionsDispatchWorkflowView, error) {

+	viewer := middleware.CurrentUserFromContext(ctx)

+	if viewer.IsAnonymous() {

+		return nil, nil

+	}

+	dec := policy.Can(ctx, policy.Deps{Pool: h.d.Pool}, viewer.PolicyActor(), policy.ActionRepoWrite, policy.NewRepoRefFromRepo(row))

+	if !dec.Allow {

+		return nil, nil

+	}

+	if row.DefaultBranch == "" {

+		return nil, nil

+	}

+	gitDir, err := h.d.RepoFS.RepoPath(owner, row.Name)

+	if err != nil {

+		return nil, err

+	}

+	if _, err := os.Stat(gitDir); err != nil {

+		if errors.Is(err, os.ErrNotExist) {

+			return nil, nil

+		}

+		return nil, err

+	}

+	headSHA, err := repogit.ResolveRefOID(ctx, gitDir, row.DefaultBranch)

+	if err != nil {

+		if errors.Is(err, repogit.ErrRefNotFound) {

+			return nil, nil

+		}

+		return nil, err

+	}

+	files, _, err := trigger.Discover(ctx, gitDir, headSHA)

+	if err != nil {

+		return nil, err

+	}

+

+	views := make([]actionsDispatchWorkflowView, 0, len(files))

+	for _, file := range files {

+		wf, diags, err := workflow.Parse(file.Bytes)

+		if err != nil || workflowHasErrorDiagnostics(diags) || wf.On.WorkflowDispatch == nil {

+			continue

+		}

+		views = append(views, actionsDispatchWorkflowView{

+			File:         file.Path,

+			Name:         workflowDisplayName(wf.Name, file.Path),

+			DispatchHref: "/" + owner + "/" + row.Name + "/actions/workflows/" + url.PathEscape(path.Base(file.Path)) + "/dispatches",

+			Inputs:       actionsDispatchInputViews(wf.On.WorkflowDispatch.Inputs),

+		})

+	}

+	sort.SliceStable(views, func(i, j int) bool {

+		if views[i].Name == views[j].Name {

+			return views[i].File < views[j].File

+		}

+		return views[i].Name < views[j].Name

+	})

+	return views, nil

+}

+

+func workflowHasErrorDiagnostics(diags []workflow.Diagnostic) bool {

+	for _, d := range diags {

+		if d.Severity == workflow.Error {

+			return true

+		}

+	}

+	return false

+}

+

+func actionsDispatchInputViews(inputs []workflow.DispatchInput) []actionsDispatchInputView {

+	views := make([]actionsDispatchInputView, 0, len(inputs))

+	for _, input := range inputs {

+		view := actionsDispatchInputView{

+			Name:        input.Name,

+			Description: input.Description,

+			Type:        input.Type,

+			Default:     input.Default,

+			Required:    input.Required,

+			IsBoolean:   input.Type == "boolean",

+			IsChoice:    input.Type == "choice",

+		}

+		for _, option := range input.Options {

+			view.Options = append(view.Options, actionsDispatchOptionView{

+				Value:    option,

+				Selected: input.Default == option,

+			})

+		}

+		views = append(views, view)

+	}

+	return views

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"context"

+	"encoding/base64"

+	"encoding/json"

+	"errors"

+	"fmt"

+	"net/http"

+	"strconv"

+	"time"

+

+	"github.com/jackc/pgx/v5"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/logstream"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	"github.com/tenseleyFlow/shithub/internal/ratelimit"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+const (

+	actionsLogStreamBatchSize      = int32(100)

+	actionsLogStreamHeartbeatEvery = 20 * time.Second

+	actionsLogStreamReleaseTimeout = 3 * time.Second

+)

+

+var actionsLogStreamLimit = ratelimit.Policy{

+	Scope:  "actions:logtail",

+	Max:    5,

+	Window: 2 * time.Minute,

+}

+

+type actionsLogStreamChunk struct {

+	Seq      int32  `json:"seq"`

+	ChunkB64 string `json:"chunk_b64"`

+}

+

+func (h *Handlers) repoActionStepLogStream(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoRead)

+	if !ok {

+		return

+	}

+	runIndex, ok := parsePositiveInt64Param(r, "runIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	jobIndex, ok := parseNonNegativeInt32Param(r, "jobIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	stepIndex, ok := parseNonNegativeInt32Param(r, "stepIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	lastSeq, ok := parseLogStreamAfter(r)

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "invalid Last-Event-ID")

+		return

+	}

+

+	run, err := h.loadActionsRunDetail(r.Context(), row.ID, owner.Username, row.Name, runIndex)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		} else {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: get run for step log stream", "repo_id", row.ID, "run_index", runIndex, "error", err)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		}

+		return

+	}

+	_, step, ok := findActionStep(run, jobIndex, stepIndex)

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+

+	flusher, ok := w.(http.Flusher)

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "streaming is not supported")

+		return

+	}

+

+	lease, decision, leaseErr := h.acquireLogStreamLease(r.Context(), w, r)

+	if leaseErr != nil && h.d.Logger != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: log stream rate-limit failed", "step_id", step.ID, "error", leaseErr)

+	}

+	if !decision.Allowed {

+		w.Header().Set("Retry-After", strconv.Itoa(int(decision.RetryAfter/time.Second)))

+		h.d.Render.HTTPError(w, r, http.StatusTooManyRequests, "too many live log streams")

+		return

+	}

+	if lease != nil {

+		defer func() {

+			ctx, cancel := context.WithTimeout(context.Background(), actionsLogStreamReleaseTimeout)

+			defer cancel()

+			if err := lease.Release(ctx); err != nil && h.d.Logger != nil {

+				h.d.Logger.WarnContext(r.Context(), "repo actions: release log stream lease", "step_id", step.ID, "error", err)

+			}

+		}()

+	}

+

+	conn, err := h.d.Pool.Acquire(r.Context())

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: acquire log stream conn", "step_id", step.ID, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer conn.Release()

+	if _, err := conn.Exec(r.Context(), logstream.ListenSQL(step.ID)); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: listen log stream", "step_id", step.ID, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	w.Header().Set("Content-Type", "text/event-stream; charset=utf-8")

+	w.Header().Set("Cache-Control", "no-cache, no-transform")

+	w.Header().Set("Connection", "keep-alive")

+	w.Header().Set("X-Accel-Buffering", "no")

+	w.WriteHeader(http.StatusOK)

+

+	nextSeq, err := h.flushStepLogChunks(r.Context(), w, conn, step.ID, lastSeq)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: write initial log chunks", "step_id", step.ID, "error", err)

+		return

+	}

+	done, err := h.stepLogStreamDone(r.Context(), conn, step.ID)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: check step terminal", "step_id", step.ID, "error", err)

+		return

+	}

+	if done {

+		_ = writeSSEEvent(w, "done", -1, []byte(`{}`))

+		flusher.Flush()

+		return

+	}

+	flusher.Flush()

+

+	for {

+		waitCtx, cancel := context.WithTimeout(r.Context(), actionsLogStreamHeartbeatEvery)

+		notification, err := conn.Conn().WaitForNotification(waitCtx)

+		cancel()

+		if r.Context().Err() != nil {

+			return

+		}

+		if errors.Is(err, context.DeadlineExceeded) {

+			nextSeq, err = h.flushStepLogChunks(r.Context(), w, conn, step.ID, nextSeq)

+			if err != nil {

+				h.d.Logger.WarnContext(r.Context(), "repo actions: write heartbeat log chunks", "step_id", step.ID, "error", err)

+				return

+			}

+			done, err := h.stepLogStreamDone(r.Context(), conn, step.ID)

+			if err != nil {

+				h.d.Logger.WarnContext(r.Context(), "repo actions: heartbeat terminal check", "step_id", step.ID, "error", err)

+				return

+			}

+			if done {

+				_ = writeSSEEvent(w, "done", -1, []byte(`{}`))

+				flusher.Flush()

+				return

+			}

+			if _, err := fmt.Fprint(w, ": keep-alive\n\n"); err != nil {

+				return

+			}

+			flusher.Flush()

+			continue

+		}

+		if err != nil {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: wait log notification", "step_id", step.ID, "error", err)

+			return

+		}

+		if notification.Channel != logstream.Channel(step.ID) {

+			continue

+		}

+		_, done, ok := logstream.ParsePayload(notification.Payload)

+		if !ok {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: invalid log notification", "step_id", step.ID, "payload", notification.Payload)

+			continue

+		}

+		nextSeq, err = h.flushStepLogChunks(r.Context(), w, conn, step.ID, nextSeq)

+		if err != nil {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: write log chunks", "step_id", step.ID, "error", err)

+			return

+		}

+		if done {

+			_ = writeSSEEvent(w, "done", -1, []byte(`{}`))

+			flusher.Flush()

+			return

+		}

+		flusher.Flush()

+	}

+}

+

+func (h *Handlers) acquireLogStreamLease(ctx context.Context, w http.ResponseWriter, r *http.Request) (*ratelimit.Lease, ratelimit.Decision, error) {

+	if h.d.RateLimiter == nil {

+		return nil, ratelimit.Decision{Allowed: true}, nil

+	}

+	key := logStreamRateLimitKey(r)

+	if key == "" {

+		return nil, ratelimit.Decision{Allowed: true}, nil

+	}

+	lease, decision, err := h.d.RateLimiter.AcquireLease(ctx, actionsLogStreamLimit, key)

+	ratelimit.StampHeaders(w, decision)

+	return lease, decision, err

+}

+

+func logStreamRateLimitKey(r *http.Request) string {

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	if !viewer.IsAnonymous() {

+		return "u:" + strconv.FormatInt(viewer.ID, 10)

+	}

+	if ip, ok := ratelimit.ClientIP(r, true); ok {

+		return "ip:" + ip.String()

+	}

+	return ""

+}

+

+func parseLogStreamAfter(r *http.Request) (int32, bool) {

+	raw := r.Header.Get("Last-Event-ID")

+	if raw == "" {

+		raw = r.URL.Query().Get("after")

+	}

+	if raw == "" {

+		return -1, true

+	}

+	n, err := strconv.ParseInt(raw, 10, 32)

+	if err != nil || n < -1 {

+		return 0, false

+	}

+	return int32(n), true

+}

+

+func (h *Handlers) flushStepLogChunks(ctx context.Context, w http.ResponseWriter, db actionsdb.DBTX, stepID int64, afterSeq int32) (int32, error) {

+	q := actionsdb.New()

+	nextSeq := afterSeq

+	for {

+		chunks, err := q.ListStepLogChunks(ctx, db, actionsdb.ListStepLogChunksParams{

+			StepID: stepID,

+			Seq:    nextSeq,

+			Limit:  actionsLogStreamBatchSize,

+		})

+		if err != nil {

+			return nextSeq, err

+		}

+		for _, chunk := range chunks {

+			payload, err := json.Marshal(actionsLogStreamChunk{

+				Seq:      chunk.Seq,

+				ChunkB64: base64.StdEncoding.EncodeToString(chunk.Chunk),

+			})

+			if err != nil {

+				return nextSeq, err

+			}

+			if err := writeSSEEvent(w, "chunk", chunk.Seq, payload); err != nil {

+				return nextSeq, err

+			}

+			nextSeq = chunk.Seq

+		}

+		if int32(len(chunks)) < actionsLogStreamBatchSize {

+			return nextSeq, nil

+		}

+	}

+}

+

+func (h *Handlers) stepLogStreamDone(ctx context.Context, db actionsdb.DBTX, stepID int64) (bool, error) {

+	step, err := actionsdb.New().GetWorkflowStepByID(ctx, db, stepID)

+	if err != nil {

+		return false, err

+	}

+	return workflowStepTerminal(step.Status), nil

+}

+

+func writeSSEEvent(w http.ResponseWriter, event string, id int32, payload []byte) error {

+	if id >= 0 {

+		if _, err := fmt.Fprintf(w, "id: %d\n", id); err != nil {

+			return err

+		}

+	}

+	if event != "" {

+		if _, err := fmt.Fprintf(w, "event: %s\n", event); err != nil {

+			return err

+		}

+	}

+	if _, err := fmt.Fprintf(w, "data: %s\n\n", payload); err != nil {

+		return err

+	}

+	return nil

+}

+	"encoding/json"

+	"net/url"

+	"github.com/tenseleyFlow/shithub/internal/actions/workflow"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+func TestRepoTabActionsRendersDispatchWorkflowsForWriters(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	f.seedWorkflowFile(t, "manual.yml", dispatchWorkflowFixture)

+

+	resp := httptest.NewRecorder()

+	req := httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("owner status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	body := resp.Body.String()

+	for _, want := range []string{

+		"DISPATCH=Manual:/alice/public-repo/actions/workflows/manual.yml/dispatches:",

+		"env/choice/true//staging|prod|,",

+		"dry_run/boolean/false/true/,",

+	} {

+		if !strings.Contains(body, want) {

+			t.Fatalf("owner body missing %q in %s", want, body)

+		}

+	}

+

+	resp = httptest.NewRecorder()

+	req = httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions", nil)

+	f.actionsMux(viewerFor(f.stranger)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("stranger status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if strings.Contains(resp.Body.String(), "DISPATCH=") {

+		t.Fatalf("dispatch controls leaked to non-writer: %s", resp.Body.String())

+	}

+}

+

+func TestRepoActionsDispatchAcceptsFormInputs(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	f.seedWorkflowFile(t, "manual.yml", dispatchWorkflowFixture)

+

+	form := url.Values{}

+	form.Set("ref", "trunk")

+	form.Set("inputs.env", "prod")

+	req := httptest.NewRequest(http.MethodPost, "/alice/public-repo/actions/workflows/manual.yml/dispatches", strings.NewReader(form.Encode()))

+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

+	resp := httptest.NewRecorder()

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusSeeOther {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if loc := resp.Header().Get("Location"); loc != "/alice/public-repo/actions?workflow=.shithub%2Fworkflows%2Fmanual.yml&event=workflow_dispatch" {

+		t.Fatalf("Location=%q", loc)

+	}

+

+	var raw []byte

+	err := f.pool.QueryRow(context.Background(), `

+		SELECT event_payload

+		FROM workflow_runs

+		WHERE repo_id = $1 AND workflow_file = '.shithub/workflows/manual.yml'`,

+		f.publicRepo.ID,

+	).Scan(&raw)

+	if err != nil {

+		t.Fatalf("select workflow dispatch run: %v", err)

+	}

+	var payload map[string]map[string]string

+	if err := json.Unmarshal(raw, &payload); err != nil {

+		t.Fatalf("payload json: %v", err)

+	}

+	if got := payload["inputs"]["env"]; got != "prod" {

+		t.Fatalf("env input=%q", got)

+	}

+	if got := payload["inputs"]["dry_run"]; got != "true" {

+		t.Fatalf("dry_run default=%q", got)

+	}

+}

+

+func TestNormalizeDispatchInputsRejectsUnknownAndInvalidChoice(t *testing.T) {

+	t.Parallel()

+	specs := dispatchWorkflowInputSpecs()

+	if _, err := normalizeDispatchInputs(map[string]string{"bogus": "x"}, specs); err == nil {

+		t.Fatal("unknown input accepted")

+	}

+	if _, err := normalizeDispatchInputs(map[string]string{"env": "qa"}, specs); err == nil {

+		t.Fatal("invalid choice accepted")

+	}

+	if _, err := normalizeDispatchInputs(nil, specs); err == nil {

+		t.Fatal("missing required input accepted")

+	}

+}

+

+		"STREAM=/alice/public-repo/actions/runs/9/jobs/0/steps/0/log/stream?after=1;",

+func TestRepoActionStepLogStreamResumesAndClosesForTerminalStep(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	now := time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC)

+	runID := f.insertWorkflowRun(t, workflowRunFixture{

+		RunIndex:      11,

+		WorkflowFile:  ".shithub/workflows/ci.yml",

+		WorkflowName:  "CI",

+		HeadRef:       "trunk",

+		Event:         actionsdb.WorkflowRunEventPush,

+		Status:        actionsdb.WorkflowRunStatusCompleted,

+		Conclusion:    actionsdb.CheckConclusionSuccess,

+		ActorUserID:   f.owner.ID,

+		CreatedOffset: -5 * time.Minute,

+		StartedOffset: -4 * time.Minute,

+		DoneOffset:    -1 * time.Minute,

+	}, now)

+	jobID := f.insertWorkflowJob(t, workflowJobFixture{

+		RunID:       runID,

+		JobIndex:    0,

+		JobKey:      "build",

+		JobName:     "Build",

+		RunsOn:      "ubuntu-latest",

+		Status:      actionsdb.WorkflowJobStatusCompleted,

+		Conclusion:  actionsdb.CheckConclusionSuccess,

+		StartedAt:   now.Add(-4 * time.Minute),

+		CompletedAt: now.Add(-1 * time.Minute),

+	})

+	stepID := f.insertWorkflowStep(t, workflowStepFixture{

+		JobID:       jobID,

+		StepIndex:   0,

+		StepName:    "Run",

+		RunCommand:  "printf done",

+		Status:      actionsdb.WorkflowStepStatusCompleted,

+		Conclusion:  actionsdb.CheckConclusionSuccess,

+		StartedAt:   now.Add(-3 * time.Minute),

+		CompletedAt: now.Add(-1 * time.Minute),

+	})

+	f.insertStepLogChunk(t, stepID, 0, "hello\n")

+	f.insertStepLogChunk(t, stepID, 1, "world\n")

+

+	resp := httptest.NewRecorder()

+	req := httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/11/jobs/0/steps/0/log/stream?after=0", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if ct := resp.Header().Get("Content-Type"); !strings.HasPrefix(ct, "text/event-stream") {

+		t.Fatalf("content-type=%q", ct)

+	}

+	body := resp.Body.String()

+	for _, want := range []string{

+		"id: 1\n",

+		"event: chunk\n",

+		`"chunk_b64":"d29ybGQK"`,

+		"event: done\n",

+	} {

+		if !strings.Contains(body, want) {

+			t.Fatalf("stream body missing %q in %s", want, body)

+		}

+	}

+	if strings.Contains(body, "aGVsbG8K") {

+		t.Fatalf("stream replayed chunk before Last-Event-ID: %s", body)

+	}

+}

+

+	mux.Get("/{owner}/{repo}/actions/runs/{runIndex}/jobs/{jobIndex}/steps/{stepIndex}/log/stream", f.handlers.repoActionStepLogStream)

+	mux.Post("/{owner}/{repo}/actions/workflows/{file}/dispatches", f.handlers.repoActionsDispatch)

+const dispatchWorkflowFixture = `name: Manual

+on:

+  workflow_dispatch:

+    inputs:

+      env:

+        description: Environment

+        required: true

+        type: choice

+        options:

+          - staging

+          - prod

+      dry_run:

+        description: Dry run

+        type: boolean

+        default: "true"

+jobs:

+  build:

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo hello

+`

+

+func dispatchWorkflowInputSpecs() []workflow.DispatchInput {

+	return []workflow.DispatchInput{

+		{

+			Name:     "env",

+			Type:     "choice",

+			Required: true,

+			Options:  []string{"staging", "prod"},

+		},

+		{

+			Name:    "dry_run",

+			Type:    "boolean",

+			Default: "true",

+		},

+	}

+}

+

+func (f *repoFixture) seedWorkflowFile(t *testing.T, name, body string) string {

+	t.Helper()

+	ctx := context.Background()

+	gitDir, err := f.handlers.d.RepoFS.RepoPath(f.owner.Username, f.publicRepo.Name)

+	if err != nil {

+		t.Fatalf("RepoPath: %v", err)

+	}

+	if err := f.handlers.d.RepoFS.InitBare(ctx, gitDir); err != nil {

+		t.Fatalf("InitBare: %v", err)

+	}

+	commit, err := (repogit.InitialCommit{

+		GitDir:      gitDir,

+		AuthorName:  "Alice",

+		AuthorEmail: "alice@example.test",

+		Branch:      "trunk",

+		Message:     "Add workflow",

+		When:        time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC),

+		Files: []repogit.FileEntry{

+			{Path: ".shithub/workflows/" + name, Body: []byte(body)},

+		},

+	}).Build(ctx)

+	if err != nil {

+		t.Fatalf("InitialCommit.Build: %v", err)

+	}

+	return commit

+}

+

+	"github.com/tenseleyFlow/shithub/internal/ratelimit"

+	RateLimiter *ratelimit.Limiter