actions/runner: snapshot secret masks at claim

Status	File	+	-
M	`docs/internal/actions-runner-api.md`	9	5
M	`docs/internal/actions-schema.md`	35	23
A	`internal/actions/queries/workflow_job_secret_masks.sql`	14	0
M	`internal/actions/sqlc/models.go`	7	0
M	`internal/actions/sqlc/querier.go`	3	0
A	`internal/actions/sqlc/workflow_job_secret_masks.sql.go`	50	0
M	`internal/admin/sqlc/models.go`	7	0
M	`internal/auth/policy/sqlc/models.go`	7	0
M	`internal/checks/sqlc/models.go`	7	0
M	`internal/issues/sqlc/models.go`	7	0
M	`internal/meta/sqlc/models.go`	7	0
A	`internal/migrationsfs/migrations/0055_workflow_job_secret_masks.sql`	16	0
M	`internal/notif/sqlc/models.go`	7	0
M	`internal/orgs/sqlc/models.go`	7	0
M	`internal/pulls/sqlc/models.go`	7	0
M	`internal/ratelimit/sqlc/models.go`	7	0
M	`internal/repos/sqlc/models.go`	7	0
M	`internal/social/sqlc/models.go`	7	0
M	`internal/users/sqlc/models.go`	7	0
M	`internal/web/handlers/api/runners.go`	116	32
M	`internal/web/handlers/api/runners_test.go`	6	0
M	`internal/webhook/sqlc/models.go`	7	0
M	`internal/worker/sqlc/models.go`	7	0

docs/internal/actions-runner-api.mdmodified

  enforced server-side by counting current `workflow_jobs.status =
  'running'` rows for the runner while holding a row lock on the runner.
  The job payload includes resolved `secrets` and `mask_values`; repo
 -secrets shadow org secrets with the same name.
 +secrets shadow org secrets with the same name. The server also stores
 +an encrypted claim-time copy of the mask values on
 +`workflow_job_secret_masks` so later log uploads are scrubbed against
 +the secrets that were actually handed to the runner, even if an
 +operator rotates or deletes a secret mid-job.
  `POST /api/v1/jobs/{id}/logs`
  first step in the job receives the chunk. Chunks are base64-decoded,
  capped at 512 KiB raw, and appended to `workflow_step_log_chunks`.
  Duplicate `(step_id, seq)` inserts are accepted as idempotent retries.
 -Before append, the API re-scrubs exact secret values from the runner
 -claim's visible secret set. It also reprocesses any possible secret
 -prefix carried at the end of the prior chunk, so a runner cannot leak a
 -secret by splitting it across two log calls.
 +Before append, the API re-scrubs exact secret values from the job's
 +claim-time mask snapshot. It also reprocesses any possible secret prefix
 +carried at the end of the prior chunk, so a runner cannot leak a secret
 +by splitting it across two log calls.
  `POST /api/v1/jobs/{id}/steps/{step_id}/status`

docs/internal/actions-schema.mdmodified

  ## SQL schema
 -Actions migrations currently span 0042–0051 and 0053. Migration 0052 belongs to
 -the repo source-remotes feature and was already deployed before the runner JWT
 -replay table landed.
 +Actions migrations currently span 0042–0051, 0053, and 0055. Migration
 +0052 belongs to the repo source-remotes feature and 0054 belongs to push
 +event protocol tracking.
  | #     | Table                       | Purpose                                                       |
  | ----- | --------------------------- | ------------------------------------------------------------- |
  | 0050  | `workflow_steps.step_with`  | Parsed `with:` inputs for magic `uses:` aliases               |
  | 0051  | `workflow_runs.trigger_event_id` | Trigger idempotency for retries/admin replays            |
  | 0053  | `runner_jwt_used`           | Single-use replay gate for runner job JWTs                    |
 +| 0055  | `workflow_job_secret_masks` | Encrypted claim-time log mask snapshots per job               |
  A few load-bearing choices, called out so they're easy to spot in a
  later schema diff:
    and the API returns 401. JWTs are HMAC-SHA256 and use an HKDF
    subkey derived from `auth.totp_key_b64` with label
    `actions-runner-jwt-v1`.
 +- **`workflow_job_secret_masks`** — one encrypted JSON array of exact
 +  secret values per claimed job. It snapshots the log scrub set at
 +  claim time, preventing a rotated or deleted secret from disappearing
 +  from server-side masking while the old value is still in a runner's
 +  job payload.
  The `version` and `run_index` patterns are the two pieces I'd point
  out to a future maintainer first. Both are cheap to add now and
  | Namespace        | Source            | Tainted?                    |
  | ---------------- | ----------------- | --------------------------- |
 -| `secrets.X`      | workflow_secrets  | no (operator-controlled)    |
 +| `secrets.X`      | workflow_secrets  | no, but sensitive           |
  | `vars.X`         | actions_variables | no (operator-controlled)    |
  | `env.X`          | workflow file     | no (workflow author's text) |
  | `shithub.run_id` | dispatch context  | no                          |
  - Reading `shithub.event.X` → `Tainted: true` (always, including
    missing-path null results).
 -- Reading any other namespace → `Tainted: false`, except `env.X`
 -  preserves the taint of the resolved env value. This closes the
 -  escape where an event-derived value is first assigned to env and
 -  then interpolated through `${{ env.X }}`.
 -- Binary op (`==`, `!=`, `&&`, `||`) → tainted if either operand is.
 -- Unary op (`!`) → tainted iff its operand is.
 -- Function call (`contains`, `startsWith`, `endsWith`) → tainted
 -  if any argument is.
+-
 -The runner consumes `Tainted` and refuses to interpolate tainted
 -values into shell strings. Instead, tainted values are bound to
 +- Reading `secrets.X` → `Sensitive: true`. Secrets are operator-
 +  controlled, so they are not tainted, but they must not appear in
 +  shell source strings or Docker argv.
 +- Reading any other namespace → `Tainted: false` and
 +  `Sensitive: false`, except `env.X` preserves both flags of the
 +  resolved env value. This closes the escape where an event-derived or
 +  secret-derived value is first assigned to env and then interpolated
 +  through `${{ env.X }}`.
 +- Binary op (`==`, `!=`, `&&`, `||`) → tainted or sensitive if either
 +  operand is.
 +- Unary op (`!`) → tainted/sensitive iff its operand is.
 +- Function call (`contains`, `startsWith`, `endsWith`) → tainted or
 +  sensitive if any argument is.
++
 +The runner consumes `Tainted` and `Sensitive` and refuses to interpolate
 +either class into shell strings. Instead, those values are bound to
  runner-owned `SHITHUB_INPUT_xx` envvars and the shell source only
  references those placeholders. The author writes:
  ```
  …where `$user_pr_title` is set via Go's `cmd.Env`, never inserted into
 -the shell source string. Backticks, `$()`, `;`, `&&` — none of those
 -work as command-injection vectors when the value reaches the shell as
 -environment data instead of syntax.
 +the shell source string or Docker CLI argv. Backticks, `$()`, `;`,
 +`&&` — none of those work as command-injection vectors when the value
 +reaches the shell as environment data instead of syntax.
  The shared renderer lives in `internal/runner/exec`, so future engines
  consume the same injection boundary instead of reimplementing it. The
  posted to the API. It masks exact secret values and preserves enough
  tail bytes between chunks to catch a secret split across chunk
  boundaries. S41e wires resolved workflow secrets into the runner claim
 -payload and mask set, then applies the same exact-value scrub again in
 -the runner API before persisting chunks. The server path also carries a
 -possible secret-prefix tail from the prior persisted chunk, so a runner
 -that bypasses client-side scrubbing cannot leak a secret by splitting
 -it across adjacent log POSTs.
 +payload and mask set, snapshots that mask set encrypted on the job, then
 +applies the same exact-value scrub again in the runner API before
 +persisting chunks. The server path also carries a possible secret-prefix
 +tail from the prior persisted chunk, so a runner that bypasses
 +client-side scrubbing cannot leak a secret by splitting it across
 +adjacent log POSTs.
  ## `shithub.event` payload schema (v1)

internal/actions/queries/workflow_job_secret_masks.sqladded

 +-- SPDX-License-Identifier: AGPL-3.0-or-later
++
 +-- name: UpsertWorkflowJobSecretMask :exec
 +INSERT INTO workflow_job_secret_masks (job_id, ciphertext, nonce)
 +VALUES ($1, $2, $3)
 +ON CONFLICT (job_id) DO UPDATE
 +SET ciphertext = EXCLUDED.ciphertext,
 +    nonce      = EXCLUDED.nonce,
 +    created_at = now();
++
 +-- name: GetWorkflowJobSecretMask :one
 +SELECT job_id, ciphertext, nonce, created_at
 +FROM workflow_job_secret_masks
 +WHERE job_id = $1;

internal/actions/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/actions/sqlc/querier.gomodified

  	GetStepLogChunkBefore(ctx context.Context, db DBTX, arg GetStepLogChunkBeforeParams) (WorkflowStepLogChunk, error)
  	GetStepLogChunkByStepSeq(ctx context.Context, db DBTX, arg GetStepLogChunkByStepSeqParams) (WorkflowStepLogChunk, error)
  	GetWorkflowJobByID(ctx context.Context, db DBTX, id int64) (WorkflowJob, error)
 +	GetWorkflowJobSecretMask(ctx context.Context, db DBTX, jobID int64) (WorkflowJobSecretMask, error)
  	GetWorkflowRunByID(ctx context.Context, db DBTX, id int64) (WorkflowRun, error)
  	GetWorkflowStepByID(ctx context.Context, db DBTX, id int64) (WorkflowStep, error)
  	HeartbeatRunner(ctx context.Context, db DBTX, arg HeartbeatRunnerParams) (WorkflowRunner, error)
  	UpsertRepoSecret(ctx context.Context, db DBTX, arg UpsertRepoSecretParams) (WorkflowSecret, error)
  	// SPDX-License-Identifier: AGPL-3.0-or-later
  	UpsertRepoVariable(ctx context.Context, db DBTX, arg UpsertRepoVariableParams) (ActionsVariable, error)
 +	// SPDX-License-Identifier: AGPL-3.0-or-later
 +	UpsertWorkflowJobSecretMask(ctx context.Context, db DBTX, arg UpsertWorkflowJobSecretMaskParams) error
+ }
  var _ Querier = (*Queries)(nil)

internal/actions/sqlc/workflow_job_secret_masks.sql.goadded

 +// Code generated by sqlc. DO NOT EDIT.
 +// versions:
 +//   sqlc v1.31.1
 +// source: workflow_job_secret_masks.sql
++
 +package actionsdb
++
 +import (
 +	"context"
 +)
++
 +const getWorkflowJobSecretMask = `-- name: GetWorkflowJobSecretMask :one
 +SELECT job_id, ciphertext, nonce, created_at
 +FROM workflow_job_secret_masks
 +WHERE job_id = $1
 +`
++
 +func (q *Queries) GetWorkflowJobSecretMask(ctx context.Context, db DBTX, jobID int64) (WorkflowJobSecretMask, error) {
 +	row := db.QueryRow(ctx, getWorkflowJobSecretMask, jobID)
 +	var i WorkflowJobSecretMask
 +	err := row.Scan(
 +		&i.JobID,
 +		&i.Ciphertext,
 +		&i.Nonce,
 +		&i.CreatedAt,
 +	)
 +	return i, err
 +}
++
 +const upsertWorkflowJobSecretMask = `-- name: UpsertWorkflowJobSecretMask :exec
++
 +INSERT INTO workflow_job_secret_masks (job_id, ciphertext, nonce)
 +VALUES ($1, $2, $3)
 +ON CONFLICT (job_id) DO UPDATE
 +SET ciphertext = EXCLUDED.ciphertext,
 +    nonce      = EXCLUDED.nonce,
 +    created_at = now()
 +`
++
 +type UpsertWorkflowJobSecretMaskParams struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +}
++
 +// SPDX-License-Identifier: AGPL-3.0-or-later
 +func (q *Queries) UpsertWorkflowJobSecretMask(ctx context.Context, db DBTX, arg UpsertWorkflowJobSecretMaskParams) error {
 +	_, err := db.Exec(ctx, upsertWorkflowJobSecretMask, arg.JobID, arg.Ciphertext, arg.Nonce)
 +	return err
 +}

internal/admin/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/auth/policy/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/checks/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/issues/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/meta/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/migrationsfs/migrations/0055_workflow_job_secret_masks.sqladded

 +-- SPDX-License-Identifier: AGPL-3.0-or-later
++
 +-- +goose Up
 +CREATE TABLE workflow_job_secret_masks (
 +    job_id bigint PRIMARY KEY REFERENCES workflow_jobs(id) ON DELETE CASCADE,
 +    ciphertext bytea NOT NULL,
 +    nonce bytea NOT NULL,
 +    created_at timestamptz NOT NULL DEFAULT now(),
 +    CONSTRAINT workflow_job_secret_masks_nonce_length
 +        CHECK (octet_length(nonce) = 12),
 +    CONSTRAINT workflow_job_secret_masks_ciphertext_nonempty
 +        CHECK (octet_length(ciphertext) > 0)
 +);
++
 +-- +goose Down
 +DROP TABLE IF EXISTS workflow_job_secret_masks;

internal/notif/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/orgs/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/pulls/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/ratelimit/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/repos/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/social/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/users/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/web/handlers/api/runners.gomodified

  	"github.com/tenseleyFlow/shithub/internal/actions/finalize"
  	"github.com/tenseleyFlow/shithub/internal/actions/runnerlabels"
  	"github.com/tenseleyFlow/shithub/internal/actions/runnertoken"
 -	"github.com/tenseleyFlow/shithub/internal/actions/secrets"
  	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/checks"
  		return
+ 	}
 -	job, steps, claimed, err := h.claimRunnerJob(r.Context(), runner.ID, labels, int32(capacity))
 +	job, steps, resolvedSecrets, claimed, err := h.claimRunnerJob(r.Context(), runner.ID, labels, int32(capacity))
  	if err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "runner heartbeat claim failed", "runner_id", runner.ID, "error", err)
  		writeAPIError(w, http.StatusInternalServerError, "runner heartbeat failed")
+ 	}
  	metrics.ActionsRunnerHeartbeatsTotal.WithLabelValues("claimed").Inc()
  	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Inc()
 -	resolvedSecrets, err := h.resolveVisibleSecrets(r.Context(), job.RepoID)
 -	if err != nil {
 -		h.d.Logger.ErrorContext(r.Context(), "runner secret resolution failed", "repo_id", job.RepoID, "job_id", job.ID, "error", err)
 -		writeAPIError(w, http.StatusInternalServerError, "runner secret resolution failed")
 -		return
 -	}
  	writeJSON(w, http.StatusOK, presentRunnerClaim(job, steps, resolvedSecrets, token, time.Unix(claims.Exp, 0)))
+ }
  	runnerID int64,
  	labels []string,
  	capacity int32,
 -) (actionsdb.ClaimQueuedWorkflowJobRow, []actionsdb.ListRunnerStepsForJobRow, bool, error) {
 +) (actionsdb.ClaimQueuedWorkflowJobRow, []actionsdb.ListRunnerStepsForJobRow, map[string]string, bool, error) {
  	q := actionsdb.New()
  	tx, err := h.d.Pool.Begin(ctx)
  	if err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	committed := false
  	defer func() {
  	}()
  	if _, err := q.LockRunnerByID(ctx, tx, runnerID); err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	running, err := q.CountRunningJobsForRunner(ctx, tx, runnerID)
  	if err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	if running >= capacity {
  		if _, err := q.HeartbeatRunner(ctx, tx, actionsdb.HeartbeatRunnerParams{
  			Capacity: capacity,
  			Status:   actionsdb.WorkflowRunnerStatusBusy,
  		}); err != nil {
 -			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 		}
  		if err := tx.Commit(ctx); err != nil {
 -			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 		}
  		committed = true
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, nil
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, nil
+ 	}
  	job, err := q.ClaimQueuedWorkflowJob(ctx, tx, actionsdb.ClaimQueuedWorkflowJobParams{
  	})
  	if err != nil {
  		if !errors.Is(err, pgx.ErrNoRows) {
 -			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 		}
  		if _, err := q.HeartbeatRunner(ctx, tx, actionsdb.HeartbeatRunnerParams{
  			ID:       runnerID,
  			Capacity: capacity,
  			Status:   actionsdb.WorkflowRunnerStatusIdle,
  		}); err != nil {
 -			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 		}
  		if err := tx.Commit(ctx); err != nil {
 -			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 		}
  		committed = true
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, nil
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, nil
+ 	}
  	if err := q.MarkWorkflowRunRunning(ctx, tx, job.RunID); err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	steps, err := q.ListRunnerStepsForJob(ctx, tx, job.ID)
  	if err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
 +	}
 +	resolvedSecrets, err := h.resolveVisibleSecretsFromDB(ctx, tx, job.RepoID)
 +	if err != nil {
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
 +	}
 +	if err := h.storeJobSecretMaskSnapshot(ctx, tx, job.ID, secretMaskValues(resolvedSecrets)); err != nil {
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	status := actionsdb.WorkflowRunnerStatusIdle
  	if running+1 >= capacity {
  		Capacity: capacity,
  		Status:   status,
  	}); err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	if err := tx.Commit(ctx); err != nil {
 -		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err
 +		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err
+ 	}
  	committed = true
 -	return job, steps, true, nil
 +	return job, steps, resolvedSecrets, true, nil
+ }
  type runnerJobAuth struct {
  		writeAPIError(w, http.StatusBadRequest, "chunk must be between 1 and 524288 bytes")
  		return
+ 	}
 -	values, err := h.logMaskValues(r.Context(), auth.Claims.RepoID)
 +	values, err := h.jobSecretMaskValues(r.Context(), auth.Job.ID, auth.Claims.RepoID)
  	if err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "runner log mask resolution failed", "repo_id", auth.Claims.RepoID, "job_id", auth.Claims.JobID, "error", err)
  		writeAPIError(w, http.StatusInternalServerError, "log mask resolution failed")
  	})
+ }
 +type secretResolutionDB interface {
 +	actionsdb.DBTX
 +	reposdb.DBTX
 +}
++
  func (h *Handlers) resolveVisibleSecrets(ctx context.Context, repoID int64) (map[string]string, error) {
 +	return h.resolveVisibleSecretsFromDB(ctx, h.d.Pool, repoID)
 +}
++
 +func (h *Handlers) resolveVisibleSecretsFromDB(ctx context.Context, db secretResolutionDB, repoID int64) (map[string]string, error) {
  	if h.d.SecretBox == nil {
  		return nil, nil
+ 	}
 -	repo, err := reposdb.New().GetRepoByID(ctx, h.d.Pool, repoID)
 +	repo, err := reposdb.New().GetRepoByID(ctx, db, repoID)
  	if err != nil {
  		return nil, err
+ 	}
 -	store := secrets.Deps{Pool: h.d.Pool, Box: h.d.SecretBox, Logger: h.d.Logger}
  	out := map[string]string{}
  	if repo.OwnerOrgID.Valid {
 -		if err := h.mergeSecrets(ctx, store, secrets.OrgScope(repo.OwnerOrgID.Int64), out); err != nil {
 +		if err := h.mergeOrgSecrets(ctx, db, repo.OwnerOrgID.Int64, out); err != nil {
  			return nil, err
+ 		}
+ 	}
 -	if err := h.mergeSecrets(ctx, store, secrets.RepoScope(repo.ID), out); err != nil {
 +	if err := h.mergeRepoSecrets(ctx, db, repo.ID, out); err != nil {
  		return nil, err
+ 	}
  	if len(out) == 0 {
  	return out, nil
+ }
 -func (h *Handlers) mergeSecrets(ctx context.Context, store secrets.Deps, scope secrets.Scope, out map[string]string) error {
 -	items, err := store.List(ctx, scope)
 +func (h *Handlers) mergeRepoSecrets(ctx context.Context, db actionsdb.DBTX, repoID int64, out map[string]string) error {
 +	q := actionsdb.New()
 +	items, err := q.ListRepoSecrets(ctx, db, pgtype.Int8{Int64: repoID, Valid: true})
  	if err != nil {
  		return err
+ 	}
  	for _, item := range items {
 -		plaintext, err := store.Get(ctx, scope, item.Name)
 +		row, err := q.GetRepoSecret(ctx, db, actionsdb.GetRepoSecretParams{
 +			RepoID: pgtype.Int8{Int64: repoID, Valid: true},
 +			Name:   item.Name,
 +		})
 +		if err != nil {
 +			return err
 +		}
 +		plaintext, err := h.d.SecretBox.Open(row.Ciphertext, row.Nonce)
 +		if err != nil {
 +			return err
 +		}
 +		out[item.Name] = string(plaintext)
 +	}
 +	return nil
 +}
++
 +func (h *Handlers) mergeOrgSecrets(ctx context.Context, db actionsdb.DBTX, orgID int64, out map[string]string) error {
 +	q := actionsdb.New()
 +	items, err := q.ListOrgSecrets(ctx, db, pgtype.Int8{Int64: orgID, Valid: true})
 +	if err != nil {
 +		return err
 +	}
 +	for _, item := range items {
 +		row, err := q.GetOrgSecret(ctx, db, actionsdb.GetOrgSecretParams{
 +			OrgID: pgtype.Int8{Int64: orgID, Valid: true},
 +			Name:  item.Name,
 +		})
 +		if err != nil {
 +			return err
 +		}
 +		plaintext, err := h.d.SecretBox.Open(row.Ciphertext, row.Nonce)
  		if err != nil {
  			return err
+ 		}
  	return secretMaskValues(resolved), nil
+ }
 +func (h *Handlers) storeJobSecretMaskSnapshot(ctx context.Context, db actionsdb.DBTX, jobID int64, values []string) error {
 +	if h.d.SecretBox == nil {
 +		return nil
 +	}
 +	if values == nil {
 +		values = []string{}
 +	}
 +	payload, err := json.Marshal(values)
 +	if err != nil {
 +		return err
 +	}
 +	ciphertext, nonce, err := h.d.SecretBox.Seal(payload)
 +	if err != nil {
 +		return err
 +	}
 +	return actionsdb.New().UpsertWorkflowJobSecretMask(ctx, db, actionsdb.UpsertWorkflowJobSecretMaskParams{
 +		JobID:      jobID,
 +		Ciphertext: ciphertext,
 +		Nonce:      nonce,
 +	})
 +}
++
 +func (h *Handlers) jobSecretMaskValues(ctx context.Context, jobID, repoID int64) ([]string, error) {
 +	if h.d.SecretBox == nil {
 +		return nil, nil
 +	}
 +	row, err := actionsdb.New().GetWorkflowJobSecretMask(ctx, h.d.Pool, jobID)
 +	if err != nil {
 +		if errors.Is(err, pgx.ErrNoRows) {
 +			return h.logMaskValues(ctx, repoID)
 +		}
 +		return nil, err
 +	}
 +	plaintext, err := h.d.SecretBox.Open(row.Ciphertext, row.Nonce)
 +	if err != nil {
 +		return nil, err
 +	}
 +	var values []string
 +	if err := json.Unmarshal(plaintext, &values); err != nil {
 +		return nil, err
 +	}
 +	sort.Strings(values)
 +	return values, nil
 +}
++
  func secretMaskValues(resolved map[string]string) []string {
  	if len(resolved) == 0 {
  		return nil

internal/web/handlers/api/runners_test.gomodified

  	if claim.Job.RunID != runID || claim.Job.Secrets["TOKEN"] != "hunter2" || !containsString(claim.Job.MaskValues, "hunter2") {
  		t.Fatalf("claim did not include masked secret context: %+v", claim.Job)
+ 	}
 +	if _, err := actionsdb.New().GetWorkflowJobSecretMask(ctx, pool, claim.Job.ID); err != nil {
 +		t.Fatalf("GetWorkflowJobSecretMask: %v", err)
 +	}
 +	if err := (actionsecrets.Deps{Pool: pool, Box: box}).Set(ctx, actionsecrets.RepoScope(repoID), "TOKEN", []byte("rotated"), userID); err != nil {
 +		t.Fatalf("rotate secret after claim: %v", err)
 +	}
  	rawLog := []byte("before hunter2 after\n")
  	logBody := fmt.Sprintf(`{"seq":0,"chunk":%q}`, base64.StdEncoding.EncodeToString(rawLog))

internal/webhook/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

internal/worker/sqlc/models.gomodified

  	UpdatedAt       pgtype.Timestamptz
+ }
 +type WorkflowJobSecretMask struct {
 +	JobID      int64
 +	Ciphertext []byte
 +	Nonce      []byte
 +	CreatedAt  pgtype.Timestamptz
 +}
++
  type WorkflowRun struct {
  	ID               int64
  	RepoID           int64

tenseleyflow/shithub / `2b63ffd`

23 changed files