tenseleyflow/shithub / 29771c7

+- `workflow_run` (actions: `queued`, `running`, `completed`)

+- `workflow_job` (actions: `queued`, `running`, `completed`,

+  `cancelled`)

+

+### Actions payload safety

+

+`workflow_run` and `workflow_job` payloads are structural snapshots:

+ids, run index, workflow path/name, head SHA/ref, event kind, status,

+conclusion, timestamps, job key/name, runner id, needs, timeout, and

+cancellation state. They intentionally do **not** include workflow

+event payloads, env, permissions, logs, runner JWTs, or secret values.

+- `X-Shithub-Event: <event-name>` — e.g., `push`, `pull_request`,

+  `workflow_run`.

+## Actions events

+

+Repository webhooks can subscribe to Actions lifecycle events:

+

+- `workflow_run` actions: `queued`, `running`, `completed`.

+- `workflow_job` actions: `queued`, `running`, `completed`,

+  `cancelled`.

+

+Actions payloads only carry structural run/job metadata. shithub does

+not include workflow event payloads, env, permissions, logs, runner

+tokens, or secrets in webhook bodies.

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package events emits webhook-facing Actions lifecycle events.

+//

+// These payloads are deliberately structural. Do not include workflow

+// event_payload, env, permissions, step logs, runner JWTs, or secret material.

+package events

+

+import (

+	"context"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/notif"

+)

+

+const (

+	KindWorkflowRun = "workflow_run"

+	KindWorkflowJob = "workflow_job"

+

+	ActionQueued    = "queued"

+	ActionRunning   = "running"

+	ActionCompleted = "completed"

+	ActionCancelled = "cancelled"

+)

+

+// EmitRunTx writes one workflow_run domain event inside the caller's

+// transaction. Use it when the run mutation and event row must commit

+// atomically.

+func EmitRunTx(ctx context.Context, tx pgx.Tx, run actionsdb.WorkflowRun, action string) error {

+	return notif.EmitTx(ctx, tx, runEvent(run, action))

+}

+

+// EmitJobTx writes one workflow_job domain event inside the caller's

+// transaction. The parent run snapshot is included so webhook subscribers do

+// not need a second API call to identify the workflow execution.

+func EmitJobTx(ctx context.Context, tx pgx.Tx, run actionsdb.WorkflowRun, job actionsdb.WorkflowJob, action string) error {

+	return notif.EmitTx(ctx, tx, jobEvent(run, job, action))

+}

+

+func runEvent(run actionsdb.WorkflowRun, action string) notif.Event {

+	return notif.Event{

+		ActorUserID: int8Value(run.ActorUserID),

+		Kind:        KindWorkflowRun,

+		RepoID:      run.RepoID,

+		SourceKind:  KindWorkflowRun,

+		SourceID:    run.ID,

+		Public:      false,

+		Extra: map[string]any{

+			"action":       action,

+			"workflow_run": runPayload(run),

+		},

+	}

+}

+

+func jobEvent(run actionsdb.WorkflowRun, job actionsdb.WorkflowJob, action string) notif.Event {

+	return notif.Event{

+		ActorUserID: int8Value(run.ActorUserID),

+		Kind:        KindWorkflowJob,

+		RepoID:      run.RepoID,

+		SourceKind:  KindWorkflowJob,

+		SourceID:    job.ID,

+		Public:      false,

+		Extra: map[string]any{

+			"action":       action,

+			"workflow_run": runPayload(run),

+			"workflow_job": jobPayload(job),

+		},

+	}

+}

+

+func runPayload(run actionsdb.WorkflowRun) map[string]any {

+	return map[string]any{

+		"id":               run.ID,

+		"repo_id":          run.RepoID,

+		"run_index":        run.RunIndex,

+		"workflow_file":    run.WorkflowFile,

+		"workflow_name":    run.WorkflowName,

+		"head_sha":         run.HeadSha,

+		"head_ref":         run.HeadRef,

+		"event":            string(run.Event),

+		"status":           string(run.Status),

+		"conclusion":       conclusionValue(run.Conclusion),

+		"actor_user_id":    int8Nullable(run.ActorUserID),

+		"parent_run_id":    int8Nullable(run.ParentRunID),

+		"created_at":       timeValue(run.CreatedAt),

+		"updated_at":       timeValue(run.UpdatedAt),

+		"started_at":       timeValue(run.StartedAt),

+		"completed_at":     timeValue(run.CompletedAt),

+		"trigger_event_id": run.TriggerEventID,

+	}

+}

+

+func jobPayload(job actionsdb.WorkflowJob) map[string]any {

+	return map[string]any{

+		"id":               job.ID,

+		"run_id":           job.RunID,

+		"job_index":        job.JobIndex,

+		"job_key":          job.JobKey,

+		"job_name":         job.JobName,

+		"runs_on":          job.RunsOn,

+		"runner_id":        int8Nullable(job.RunnerID),

+		"needs_jobs":       job.NeedsJobs,

+		"timeout_minutes":  job.TimeoutMinutes,

+		"status":           string(job.Status),

+		"conclusion":       conclusionValue(job.Conclusion),

+		"cancel_requested": job.CancelRequested,

+		"created_at":       timeValue(job.CreatedAt),

+		"updated_at":       timeValue(job.UpdatedAt),

+		"started_at":       timeValue(job.StartedAt),

+		"completed_at":     timeValue(job.CompletedAt),

+	}

+}

+

+func conclusionValue(v actionsdb.NullCheckConclusion) any {

+	if !v.Valid {

+		return nil

+	}

+	return string(v.CheckConclusion)

+}

+

+func int8Value(v pgtype.Int8) int64 {

+	if !v.Valid {

+		return 0

+	}

+	return v.Int64

+}

+

+func int8Nullable(v pgtype.Int8) any {

+	if !v.Valid {

+		return nil

+	}

+	return v.Int64

+}

+

+func timeValue(v pgtype.Timestamptz) any {

+	if !v.Valid {

+		return nil

+	}

+	return v.Time.UTC().Format("2006-01-02T15:04:05.999999999Z07:00")

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package events

+

+import (

+	"encoding/json"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+)

+

+func TestPayloadsExcludeSensitiveWorkflowState(t *testing.T) {

+	now := pgtype.Timestamptz{Time: time.Date(2026, 5, 12, 12, 0, 0, 0, time.UTC), Valid: true}

+	run := actionsdb.WorkflowRun{

+		ID:             11,

+		RepoID:         22,

+		RunIndex:       3,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		WorkflowName:   "CI",

+		HeadSha:        strings.Repeat("a", 40),

+		HeadRef:        "refs/heads/trunk",

+		Event:          actionsdb.WorkflowRunEventPush,

+		EventPayload:   []byte(`{"secret":"do-not-emit"}`),

+		ActorUserID:    pgtype.Int8{Int64: 33, Valid: true},

+		Status:         actionsdb.WorkflowRunStatusRunning,

+		TriggerEventID: "push:demo",

+		CreatedAt:      now,

+		UpdatedAt:      now,

+		StartedAt:      now,

+	}

+	job := actionsdb.WorkflowJob{

+		ID:             44,

+		RunID:          run.ID,

+		JobIndex:       0,

+		JobKey:         "build",

+		JobName:        "Build",

+		RunsOn:         "ubuntu-latest",

+		NeedsJobs:      []string{},

+		TimeoutMinutes: 30,

+		Permissions:    []byte(`{"contents":"read"}`),

+		JobEnv:         []byte(`{"TOKEN":"do-not-emit"}`),

+		Status:         actionsdb.WorkflowJobStatusCompleted,

+		Conclusion:     actionsdb.NullCheckConclusion{CheckConclusion: actionsdb.CheckConclusionSuccess, Valid: true},

+		CreatedAt:      now,

+		UpdatedAt:      now,

+		StartedAt:      now,

+		CompletedAt:    now,

+	}

+

+	payload, err := json.Marshal(jobEvent(run, job, ActionCompleted).Extra)

+	if err != nil {

+		t.Fatalf("marshal payload: %v", err)

+	}

+	got := string(payload)

+	for _, forbidden := range []string{

+		"event_payload",

+		"do-not-emit",

+		"permissions",

+		"job_env",

+		"TOKEN",

+		"secret",

+	} {

+		if strings.Contains(got, forbidden) {

+			t.Fatalf("payload leaked %q: %s", forbidden, got)

+		}

+	}

+	for _, required := range []string{

+		`"action":"completed"`,

+		`"workflow_run"`,

+		`"workflow_job"`,

+		`"status":"completed"`,

+		`"conclusion":"success"`,

+		`"trigger_event_id":"push:demo"`,

+	} {

+		if !strings.Contains(got, required) {

+			t.Fatalf("payload missing %q: %s", required, got)

+		}

+	}

+}

+	actionsevents "github.com/tenseleyFlow/shithub/internal/actions/events"

+	run, err := q.GetWorkflowRunByID(ctx, tx, runID)

+	if err != nil {

+		run, err = q.GetWorkflowRunByID(ctx, tx, runID)

+		if err != nil {

+			return CancelResult{}, err

+		}

+		if err := emitCancelEvents(ctx, tx, run, changed, runCompleted); err != nil {

+			return CancelResult{}, err

+		}

+		run, err := q.GetWorkflowRunByID(ctx, tx, runID)

+		if err != nil {

+			return CancelResult{}, err

+		}

+		if err := emitCancelEvents(ctx, tx, run, changed, runCompleted); err != nil {

+			return CancelResult{}, err

+		}

+func emitCancelEvents(ctx context.Context, tx pgx.Tx, run actionsdb.WorkflowRun, jobs []actionsdb.WorkflowJob, runCompleted bool) error {

+	for _, job := range jobs {

+		if job.Status != actionsdb.WorkflowJobStatusCancelled {

+			continue

+		}

+		if err := actionsevents.EmitJobTx(ctx, tx, run, job, actionsevents.ActionCancelled); err != nil {

+			return err

+		}

+	}

+	if runCompleted {

+		action := actionsevents.ActionCompleted

+		if run.Status == actionsdb.WorkflowRunStatusCancelled {

+			action = actionsevents.ActionCancelled

+		}

+		if err := actionsevents.EmitRunTx(ctx, tx, run, action); err != nil {

+			return err

+		}

+	}

+	return nil

+}

+

+-- name: StartWorkflowRun :one

+UPDATE workflow_runs

+SET status = 'running',

+    started_at = COALESCE(started_at, now()),

+    version = version + 1,

+    updated_at = now()

+WHERE id = $1 AND status = 'queued'

+RETURNING id, repo_id, run_index, workflow_file, workflow_name,

+          head_sha, head_ref, event, event_payload,

+          actor_user_id, parent_run_id, concurrency_group,

+          status, conclusion, pinned, need_approval, approved_by_user_id,

+          started_at, completed_at, version, created_at, updated_at, trigger_event_id;

+

+	StartWorkflowRun(ctx context.Context, db DBTX, id int64) (WorkflowRun, error)

+

+const startWorkflowRun = `-- name: StartWorkflowRun :one

+UPDATE workflow_runs

+SET status = 'running',

+    started_at = COALESCE(started_at, now()),

+    version = version + 1,

+    updated_at = now()

+WHERE id = $1 AND status = 'queued'

+RETURNING id, repo_id, run_index, workflow_file, workflow_name,

+          head_sha, head_ref, event, event_payload,

+          actor_user_id, parent_run_id, concurrency_group,

+          status, conclusion, pinned, need_approval, approved_by_user_id,

+          started_at, completed_at, version, created_at, updated_at, trigger_event_id

+`

+

+func (q *Queries) StartWorkflowRun(ctx context.Context, db DBTX, id int64) (WorkflowRun, error) {

+	row := db.QueryRow(ctx, startWorkflowRun, id)

+	var i WorkflowRun

+	err := row.Scan(

+		&i.ID,

+		&i.RepoID,

+		&i.RunIndex,

+		&i.WorkflowFile,

+		&i.WorkflowName,

+		&i.HeadSha,

+		&i.HeadRef,

+		&i.Event,

+		&i.EventPayload,

+		&i.ActorUserID,

+		&i.ParentRunID,

+		&i.ConcurrencyGroup,

+		&i.Status,

+		&i.Conclusion,

+		&i.Pinned,

+		&i.NeedApproval,

+		&i.ApprovedByUserID,

+		&i.StartedAt,

+		&i.CompletedAt,

+		&i.Version,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+		&i.TriggerEventID,

+	)

+	return i, err

+}

+	actionsevents "github.com/tenseleyFlow/shithub/internal/actions/events"

+	if err := actionsevents.EmitRunTx(ctx, tx, run, actionsevents.ActionQueued); err != nil {

+		return Result{}, fmt.Errorf("trigger: emit run queued event: %w", err)

+	}

+		if err := actionsevents.EmitJobTx(ctx, tx, run, job, actionsevents.ActionQueued); err != nil {

+			return Result{}, fmt.Errorf("trigger: emit job queued event for %s: %w", j.Key, err)

+		}

+	if err := emitConcurrencyCancelEvents(ctx, tx, q, concurrencyResult.CancelledJobs); err != nil {

+		return Result{}, err

+	}

+func emitConcurrencyCancelEvents(

+	ctx context.Context,

+	tx pgx.Tx,

+	q *actionsdb.Queries,

+	jobs []actionsdb.WorkflowJob,

+) error {

+	if len(jobs) == 0 {

+		return nil

+	}

+	emittedRun := map[int64]struct{}{}

+	for _, job := range jobs {

+		run, err := q.GetWorkflowRunByID(ctx, tx, job.RunID)

+		if err != nil {

+			return fmt.Errorf("trigger: load concurrency-cancelled run: %w", err)

+		}

+		if job.Status == actionsdb.WorkflowJobStatusCancelled {

+			if err := actionsevents.EmitJobTx(ctx, tx, run, job, actionsevents.ActionCancelled); err != nil {

+				return fmt.Errorf("trigger: emit concurrency job cancelled event: %w", err)

+			}

+		}

+		if _, ok := emittedRun[run.ID]; ok {

+			continue

+		}

+		if workflowRunTerminal(run.Status) {

+			if err := actionsevents.EmitRunTx(ctx, tx, run, runTerminalAction(run)); err != nil {

+				return fmt.Errorf("trigger: emit concurrency run terminal event: %w", err)

+			}

+			emittedRun[run.ID] = struct{}{}

+		}

+	}

+	return nil

+}

+

+func workflowRunTerminal(status actionsdb.WorkflowRunStatus) bool {

+	return status == actionsdb.WorkflowRunStatusCompleted || status == actionsdb.WorkflowRunStatusCancelled

+}

+

+func runTerminalAction(run actionsdb.WorkflowRun) string {

+	if run.Status == actionsdb.WorkflowRunStatusCancelled {

+		return actionsevents.ActionCancelled

+	}

+	return actionsevents.ActionCompleted

+}

+

+	assertDomainEventCounts(t, f.pool, f.repoID, map[string]int64{

+		"workflow_run": 1,

+		"workflow_job": 1,

+	})

+	assertDomainEventCounts(t, f.pool, f.repoID, map[string]int64{

+		"workflow_run": 3,

+		"workflow_job": 3,

+	})

+}

+

+func assertDomainEventCounts(t *testing.T, db actionsdb.DBTX, repoID int64, want map[string]int64) {

+	t.Helper()

+	for kind, n := range want {

+		var got int64

+		if err := db.QueryRow(context.Background(),

+			`SELECT count(*) FROM domain_events WHERE repo_id = $1 AND kind = $2`,

+			repoID, kind,

+		).Scan(&got); err != nil {

+			t.Fatalf("count domain events %s: %v", kind, err)

+		}

+		if got != n {

+			t.Fatalf("domain_events[%s] = %d, want %d", kind, got, n)

+		}

+	}

+	// S41h — Actions run/job lifecycle. Metadata must stay structural:

+	// run/job ids, status, conclusion, workflow path/name. Never include

+	// event payloads, env, logs, permissions, tokens, or secret values.

+	ActionWorkflowRunCreated   Action = "workflow_run_created"

+	ActionWorkflowRunStarted   Action = "workflow_run_started"

+	ActionWorkflowRunCompleted Action = "workflow_run_completed"

+	ActionWorkflowJobCreated   Action = "workflow_job_created"

+	ActionWorkflowJobStarted   Action = "workflow_job_started"

+	ActionWorkflowJobCompleted Action = "workflow_job_completed"

+	ActionWorkflowJobCancelled Action = "workflow_job_cancelled"

+

+	actionsevents "github.com/tenseleyFlow/shithub/internal/actions/events"

+	run, err := q.StartWorkflowRun(ctx, tx, job.RunID)

+	if err == nil {

+		if err := actionsevents.EmitRunTx(ctx, tx, run, actionsevents.ActionRunning); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err

+		}

+	} else if errors.Is(err, pgx.ErrNoRows) {

+		run, err = q.GetWorkflowRunByID(ctx, tx, job.RunID)

+		if err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err

+		}

+	} else {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err

+	}

+	if err := actionsevents.EmitJobTx(ctx, tx, run, claimRowWorkflowJob(job), actionsevents.ActionRunning); err != nil {

+	runAfter, err := q.GetWorkflowRunByID(ctx, tx, updated.RunID)

+	if err != nil {

+		return actionsdb.WorkflowJob{}, false, "", err

+	}

+	runBefore := runAfter

+	runStarted := false

+	runTerminalChanged := false

+		runAfter, err = q.CompleteWorkflowRun(ctx, tx, actionsdb.CompleteWorkflowRunParams{

+		})

+		if err != nil {

+			return actionsdb.WorkflowJob{}, false, "", err

+		}

+		runTerminalChanged = workflowRunLifecycleChanged(runBefore, runAfter)

+	} else {

+		startedRun, err := q.StartWorkflowRun(ctx, tx, updated.RunID)

+		if err == nil {

+			runAfter = startedRun

+			runStarted = true

+		} else if !errors.Is(err, pgx.ErrNoRows) {

+	}

+	if jobLifecycleChanged(job, updated) {

+		if err := actionsevents.EmitJobTx(ctx, tx, runAfter, updated, workflowJobEventAction(updated.Status)); err != nil {

+			return actionsdb.WorkflowJob{}, false, "", err

+		}

+	}

+	if runStarted {

+		if err := actionsevents.EmitRunTx(ctx, tx, runAfter, actionsevents.ActionRunning); err != nil {

+	}

+	if complete && runTerminalChanged {

+		if err := actionsevents.EmitRunTx(ctx, tx, runAfter, workflowRunEventAction(runAfter.Status)); err != nil {

+			return actionsdb.WorkflowJob{}, false, "", err

+		}

+	}

+func claimRowWorkflowJob(row actionsdb.ClaimQueuedWorkflowJobRow) actionsdb.WorkflowJob {

+	return actionsdb.WorkflowJob{

+		ID:              row.ID,

+		RunID:           row.RunID,

+		JobIndex:        row.JobIndex,

+		JobKey:          row.JobKey,

+		JobName:         row.JobName,

+		RunsOn:          row.RunsOn,

+		RunnerID:        row.RunnerID,

+		NeedsJobs:       row.NeedsJobs,

+		IfExpr:          row.IfExpr,

+		TimeoutMinutes:  row.TimeoutMinutes,

+		Permissions:     row.Permissions,

+		JobEnv:          row.JobEnv,

+		Status:          row.Status,

+		Conclusion:      row.Conclusion,

+		CancelRequested: row.CancelRequested,

+		StartedAt:       row.StartedAt,

+		CompletedAt:     row.CompletedAt,

+		Version:         row.Version,

+		CreatedAt:       row.CreatedAt,

+		UpdatedAt:       row.UpdatedAt,

+	}

+}

+

+func jobLifecycleChanged(before, after actionsdb.WorkflowJob) bool {

+	if before.Status != after.Status {

+		return true

+	}

+	if before.Conclusion.Valid != after.Conclusion.Valid {

+		return true

+	}

+	return before.Conclusion.Valid && before.Conclusion.CheckConclusion != after.Conclusion.CheckConclusion

+}

+

+func workflowRunLifecycleChanged(before, after actionsdb.WorkflowRun) bool {

+	if before.Status != after.Status {

+		return true

+	}

+	if before.Conclusion.Valid != after.Conclusion.Valid {

+		return true

+	}

+	return before.Conclusion.Valid && before.Conclusion.CheckConclusion != after.Conclusion.CheckConclusion

+}

+

+func workflowJobEventAction(status actionsdb.WorkflowJobStatus) string {

+	switch status {

+	case actionsdb.WorkflowJobStatusCancelled:

+		return actionsevents.ActionCancelled

+	case actionsdb.WorkflowJobStatusCompleted, actionsdb.WorkflowJobStatusSkipped:

+		return actionsevents.ActionCompleted

+	case actionsdb.WorkflowJobStatusRunning:

+		return actionsevents.ActionRunning

+	default:

+		return actionsevents.ActionQueued

+	}

+}

+

+func workflowRunEventAction(status actionsdb.WorkflowRunStatus) string {

+	if status == actionsdb.WorkflowRunStatusCancelled {

+		return actionsevents.ActionCancelled

+	}

+	return actionsevents.ActionCompleted

+}

+