tenseleyflow/shithub / 261e5b7

+support multi-step runner flows, successful in-flight job endpoints

+uses each returned `next_token` serially for log chunks, step-status

+updates, cancel checks, artifact upload requests, and finally the

+terminal job-status update. Reusing any consumed job JWT is a replay and

+must fail with 401.

+`POST /api/v1/jobs/{id}/steps/{step_id}/status`

+

+Auth: job JWT. Body:

+

+```json

+{"status":"completed","conclusion":"success"}

+```

+

+Valid transitions are `queued|running -> running|completed|cancelled|skipped`

+with idempotent repeats of the target terminal state. Completed and

+skipped steps require a valid check conclusion; cancelled defaults to

+`cancelled` when omitted. The endpoint always returns a `next_token`

+because a completed step is not the end of the job.

+

+When object storage is configured, terminal step updates enqueue

+`workflow:finalize_step`. The worker concatenates

+`workflow_step_log_chunks` in sequence order, uploads the log to

+`actions/runs/<run_id>/jobs/<job_id>/steps/<step_id>.log`, stores that

+key and byte count on `workflow_steps`, then deletes the SQL chunks.

+

+S41d PR2 runner execution supports containerized `run:` steps with

+per-step log streaming and server-side log finalization. `uses:` aliases

+such as `actions/checkout@v4` and artifact upload/download remain

+reserved for the later S41d slices that add checkout metadata and

+artifact transfer.

+# Actions runner API

+

+The Actions runner API is mounted under `/api/v1`, but it is not a

+personal-access-token surface. Operators register runners with

+`shithubd admin runner register`; runner processes authenticate

+heartbeats with that registration token and authenticate job updates

+with short-lived, single-use job JWTs returned by the heartbeat claim.

+

+These endpoints are intended for `shithubd-runner`, not browser clients

+or third-party integrations.

+

+## Runner heartbeat

+

+```

+POST /api/v1/runners/heartbeat

+```

+

+Claims one queued workflow job for a registered runner when labels and

+capacity match. Returns `204 No Content` when no job is available, or

+`200 OK` with a job payload and job JWT.

+

+## Job log chunks

+

+```

+POST /api/v1/jobs/{id}/logs

+```

+

+Appends one base64-encoded log chunk to a workflow step. The runner uses

+the `next_token` returned by each successful call for the next job API

+request.

+

+## Step status

+

+```

+POST /api/v1/jobs/{id}/steps/{step_id}/status

+```

+

+Marks a workflow step running, completed, cancelled, or skipped. Terminal

+step updates enqueue server-side log finalization when object storage is

+configured.

+

+## Job status

+

+```

+POST /api/v1/jobs/{id}/status

+```

+

+Marks the claimed job running or terminal, rolls up the workflow run, and

+updates the matching check run.

+

+## Artifact upload

+

+```

+POST /api/v1/jobs/{id}/artifacts/upload

+```

+

+Creates a workflow artifact row and returns a short-lived signed PUT URL

+for object storage.

+

+## Cancel check

+

+```

+POST /api/v1/jobs/{id}/cancel-check

+```

+

+Returns whether the server has requested cancellation for the claimed

+job.

+shithub exposes a small REST API at `/api/v1/`. The user-facing API is

+PAT-authenticated, JSON-bodied, and CSRF-exempt. The Actions runner API

+under the same prefix uses runner registration tokens plus per-job JWTs

+instead of PATs.

+how to create one. Runner endpoints documented in

+[Actions runner API](actions-runner.md) are the exception; they reject

+PATs and require runner credentials.