actions/runner: support scoped checkout

Status	File	+	-
M	`internal/actions/queries/workflow_jobs.sql`	7	2
M	`internal/actions/sqlc/workflow_jobs.sql.go`	10	1
M	`internal/auth/runnerjwt/jwt.go`	27	12
M	`internal/auth/runnerjwt/jwt_test.go`	29	0
M	`internal/runner/api/client.go`	2	0
M	`internal/runner/engine/docker.go`	150	2
M	`internal/runner/engine/docker_test.go`	91	1
M	`internal/runner/engine/types.go`	2	0
M	`internal/runner/runner.go`	2	0
M	`internal/web/githttp_wiring.go`	6	3
M	`internal/web/handlers/api/runners.go`	36	3
M	`internal/web/handlers/api/runners_test.go`	24	5
M	`internal/web/handlers/githttp/auth.go`	45	4
M	`internal/web/handlers/githttp/githttp.go`	8	4
M	`internal/web/handlers/githttp/githttp_test.go`	161	15
M	`internal/web/handlers/githttp/handler.go`	12	0
M	`internal/web/server.go`	1	1

internal/actions/queries/workflow_jobs.sqlmodified

         c.cancel_requested, c.started_at, c.completed_at, c.version,
         c.created_at, c.updated_at,
         r.repo_id, r.run_index, r.workflow_file, r.workflow_name,
 -       r.head_sha, r.head_ref, r.event, r.event_payload
 +       r.head_sha, r.head_ref, r.event, r.event_payload,
 +       COALESCE(owner_user.username, owner_org.slug)::text AS repo_owner,
 +       repo.name AS repo_name
  FROM claimed c
 -JOIN workflow_runs r ON r.id = c.run_id;
 +JOIN workflow_runs r ON r.id = c.run_id
 +JOIN repos repo ON repo.id = r.repo_id
 +LEFT JOIN users owner_user ON owner_user.id = repo.owner_user_id
 +LEFT JOIN orgs owner_org ON owner_org.id = repo.owner_org_id;
  -- name: ListJobsForRun :many
  SELECT id, run_id, job_index, job_key, job_name, runs_on, status,

internal/actions/sqlc/workflow_jobs.sql.gomodified

         c.cancel_requested, c.started_at, c.completed_at, c.version,
         c.created_at, c.updated_at,
         r.repo_id, r.run_index, r.workflow_file, r.workflow_name,
 -       r.head_sha, r.head_ref, r.event, r.event_payload
 +       r.head_sha, r.head_ref, r.event, r.event_payload,
 +       COALESCE(owner_user.username, owner_org.slug)::text AS repo_owner,
 +       repo.name AS repo_name
  FROM claimed c
  JOIN workflow_runs r ON r.id = c.run_id
 +JOIN repos repo ON repo.id = r.repo_id
 +LEFT JOIN users owner_user ON owner_user.id = repo.owner_user_id
 +LEFT JOIN orgs owner_org ON owner_org.id = repo.owner_org_id
+ `
  type ClaimQueuedWorkflowJobParams struct {
  	HeadRef         string
  	Event           WorkflowRunEvent
  	EventPayload    []byte
 +	RepoOwner       string
 +	RepoName        string
+ }
  func (q *Queries) ClaimQueuedWorkflowJob(ctx context.Context, db DBTX, arg ClaimQueuedWorkflowJobParams) (ClaimQueuedWorkflowJobRow, error) {
  		&i.HeadRef,
  		&i.Event,
  		&i.EventPayload,
 +		&i.RepoOwner,
 +		&i.RepoName,
+ 	)
  	return i, err
+ }

internal/auth/runnerjwt/jwt.gomodified

  	// DefaultTTL is the runner job-token lifetime from the S41c contract.
  	DefaultTTL = 15 * time.Minute
 +	PurposeAPI      = "api"
 +	PurposeCheckout = "checkout"
++
  	signingKeySize = 32
  	hkdfInfo       = "actions-runner-jwt-v1"
  	jtiBytes       = 32
  // Claims are the JWT payload fields accepted by runner job endpoints.
  type Claims struct {
 -	Sub    string `json:"sub"`
 -	JobID  int64  `json:"job_id"`
 -	RunID  int64  `json:"run_id"`
 -	RepoID int64  `json:"repo_id"`
 -	Exp    int64  `json:"exp"`
 -	JTI    string `json:"jti"`
 +	Sub     string `json:"sub"`
 +	JobID   int64  `json:"job_id"`
 +	RunID   int64  `json:"run_id"`
 +	RepoID  int64  `json:"repo_id"`
 +	Exp     int64  `json:"exp"`
 +	JTI     string `json:"jti"`
 +	Purpose string `json:"purpose,omitempty"`
+ }
  // RunnerID extracts the runner id encoded in sub="runner:<id>".
  	RunID    int64
  	RepoID   int64
  	TTL      time.Duration
 +	Purpose  string
+ }
  // Signer signs and verifies HS256 runner JWTs.
  	if err != nil {
  		return "", Claims{}, err
+ 	}
 +	purpose := p.Purpose
 +	if purpose == "" {
 +		purpose = PurposeAPI
 +	}
  	claims := Claims{
 -		Sub:    fmt.Sprintf("runner:%d", p.RunnerID),
 -		JobID:  p.JobID,
 -		RunID:  p.RunID,
 -		RepoID: p.RepoID,
 -		Exp:    s.now().Add(ttl).Unix(),
 -		JTI:    jti,
 +		Sub:     fmt.Sprintf("runner:%d", p.RunnerID),
 +		JobID:   p.JobID,
 +		RunID:   p.RunID,
 +		RepoID:  p.RepoID,
 +		Exp:     s.now().Add(ttl).Unix(),
 +		JTI:     jti,
 +		Purpose: purpose,
+ 	}
  	if err := validateClaims(claims); err != nil {
  		return "", Claims{}, err
  	if c.JobID <= 0 || c.RunID <= 0 || c.RepoID <= 0 || c.Exp <= 0 {
  		return ErrInvalidClaims
+ 	}
 +	switch c.Purpose {
 +	case "", PurposeAPI, PurposeCheckout:
 +	default:
 +		return ErrInvalidClaims
 +	}
  	if len(c.JTI) < 16 || len(c.JTI) > 128 {
  		return ErrInvalidClaims
+ 	}

internal/auth/runnerjwt/jwt_test.gomodified

  	if claims.Exp != now.Add(runnerjwt.DefaultTTL).Unix() {
  		t.Fatalf("exp: got %d, want %d", claims.Exp, now.Add(runnerjwt.DefaultTTL).Unix())
+ 	}
 +	if claims.Purpose != runnerjwt.PurposeAPI {
 +		t.Fatalf("purpose: got %q, want %q", claims.Purpose, runnerjwt.PurposeAPI)
 +	}
  	runnerID, err := claims.RunnerID()
  	if err != nil {
  		t.Fatalf("RunnerID: %v", err)
+ 	}
+ }
 +func TestMintVerifyCheckoutPurpose(t *testing.T) {
 +	now := time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC)
 +	signer := newTestSigner(t, now, bytesOf(0x66, 32))
++
 +	token, claims, err := signer.Mint(runnerjwt.MintParams{
 +		RunnerID: 7,
 +		JobID:    11,
 +		RunID:    13,
 +		RepoID:   17,
 +		Purpose:  runnerjwt.PurposeCheckout,
 +	})
 +	if err != nil {
 +		t.Fatalf("Mint: %v", err)
 +	}
 +	if claims.Purpose != runnerjwt.PurposeCheckout {
 +		t.Fatalf("purpose: got %q, want checkout", claims.Purpose)
 +	}
 +	got, err := signer.Verify(token)
 +	if err != nil {
 +		t.Fatalf("Verify: %v", err)
 +	}
 +	if got.Purpose != runnerjwt.PurposeCheckout {
 +		t.Fatalf("verified purpose: got %q, want checkout", got.Purpose)
 +	}
 +}
++
  func TestVerifyRejectsTamperedPayload(t *testing.T) {
  	signer := newTestSigner(t, time.Unix(100, 0), bytesOf(0x22, 32))
  	token, _, err := signer.Mint(runnerjwt.MintParams{RunnerID: 1, JobID: 2, RunID: 3, RepoID: 4})

internal/runner/api/client.gomodified

  	RunIndex       int64             `json:"run_index"`
  	WorkflowFile   string            `json:"workflow_file"`
  	WorkflowName   string            `json:"workflow_name"`
 +	CheckoutURL    string            `json:"checkout_url"`
 +	CheckoutToken  string            `json:"checkout_token"`
  	HeadSHA        string            `json:"head_sha"`
  	HeadRef        string            `json:"head_ref"`
  	Event          string            `json:"event"`

internal/runner/engine/docker.gomodified

  package engine
  import (
 +	"bytes"
  	"context"
  	"encoding/json"
  	"errors"
  	"fmt"
  	"io"
  	"log/slog"
 +	"net/url"
  	"os"
  	"os/exec"
  	"path"
  type DockerConfig struct {
  	Binary           string
 +	GitBinary        string
  	DefaultImage     string
  	Network          string
  	Memory           string
  	if cfg.Binary == "" {
  		cfg.Binary = "docker"
+ 	}
 +	if cfg.GitBinary == "" {
 +		cfg.GitBinary = "git"
 +	}
  	if cfg.LogChunkBytes <= 0 {
  		cfg.LogChunkBytes = 4 * 1024
+ 	}
+ }
  func (d *Docker) executeStep(ctx context.Context, job Job, step Step) error {
 -	if strings.TrimSpace(step.Uses) != "" {
 -		return fmt.Errorf("%w: %s is not executable until checkout/artifact support lands", ErrUnsupportedUses, step.Uses)
 +	if uses := strings.TrimSpace(step.Uses); uses != "" {
 +		switch uses {
 +		case "actions/checkout@v4":
 +			return d.executeCheckout(ctx, job, step)
 +		default:
 +			return fmt.Errorf("%w: %s is not executable until that alias lands", ErrUnsupportedUses, uses)
 +		}
+ 	}
  	if strings.TrimSpace(step.Run) == "" {
  		return nil
  	return nil
+ }
 +func (d *Docker) executeCheckout(ctx context.Context, job Job, step Step) error {
 +	checkoutURL, err := validateCheckoutURL(job.CheckoutURL)
 +	if err != nil {
 +		return err
 +	}
 +	if strings.TrimSpace(job.CheckoutToken) == "" {
 +		return errors.New("runner engine: checkout token is required")
 +	}
 +	headSHA := strings.TrimSpace(job.HeadSHA)
 +	if !gitObjectIDRE.MatchString(headSHA) {
 +		return fmt.Errorf("runner engine: invalid checkout sha %q", headSHA)
 +	}
 +	if err := os.MkdirAll(job.WorkspaceDir, 0o700); err != nil {
 +		return fmt.Errorf("runner engine: prepare checkout workspace: %w", err)
 +	}
 +	depthArgs, err := checkoutDepthArgs(step.With)
 +	if err != nil {
 +		return err
 +	}
 +	fetchTarget := headSHA
++
 +	writer := d.newStepLogWriter(ctx, job.ID, step.ID, job.MaskValues)
 +	out := io.MultiWriter(d.cfg.Stdout, writer)
 +	errOut := io.MultiWriter(d.cfg.Stderr, writer)
 +	closeWriter := func(runErr error) error {
 +		if closeErr := writer.Close(); closeErr != nil {
 +			if runErr != nil {
 +				return errors.Join(runErr, closeErr)
 +			}
 +			return closeErr
 +		}
 +		return runErr
 +	}
++
 +	fmt.Fprintf(out, "Checking out %s at %s\n", checkoutURL, shortObjectID(headSHA))
 +	gitEnv := []string{
 +		"GIT_TERMINAL_PROMPT=0",
 +		"GIT_ASKPASS=/bin/false",
 +		"SHITHUB_CHECKOUT_TOKEN=" + job.CheckoutToken,
 +	}
 +	//nolint:gosec // G101: this helper reads the token from env; it does not hard-code or argv-expose a secret.
 +	credentialHelper := `credential.helper=!f() { echo username=shithub-actions; echo password=$SHITHUB_CHECKOUT_TOKEN; }; f`
 +	runGit := func(args ...string) error {
 +		if err := d.cfg.Runner.Run(ctx, d.cfg.GitBinary, args, gitEnv, out, errOut); err != nil {
 +			return fmt.Errorf("git %s: %w", strings.Join(redactCheckoutArgs(args), " "), err)
 +		}
 +		return nil
 +	}
++
 +	if err := runGit("-C", job.WorkspaceDir, "init"); err != nil {
 +		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
 +	}
 +	if err := runGit("-C", job.WorkspaceDir, "remote", "add", "origin", checkoutURL); err != nil {
 +		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
 +	}
 +	fetchArgs := []string{"-C", job.WorkspaceDir, "-c", credentialHelper, "fetch", "--no-tags"}
 +	fetchArgs = append(fetchArgs, depthArgs...)
 +	fetchArgs = append(fetchArgs, "origin", fetchTarget)
 +	if err := runGit(fetchArgs...); err != nil {
 +		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
 +	}
 +	if err := runGit("-C", job.WorkspaceDir, "checkout", "--force", "--detach", headSHA); err != nil {
 +		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
 +	}
++
 +	var rev bytes.Buffer
 +	if err := d.cfg.Runner.Run(ctx, d.cfg.GitBinary,
 +		[]string{"-C", job.WorkspaceDir, "rev-parse", "HEAD"},
 +		gitEnv, io.MultiWriter(out, &rev), errOut); err != nil {
 +		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: git rev-parse HEAD: %w", stepLabel(step), err))
 +	}
 +	if got := strings.TrimSpace(rev.String()); !strings.EqualFold(got, headSHA) {
 +		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: HEAD %s != expected %s", stepLabel(step), got, headSHA))
 +	}
 +	fmt.Fprintf(out, "Checked out %s\n", shortObjectID(headSHA))
 +	return closeWriter(nil)
 +}
++
  type dockerInvocation struct {
  	args           []string
  	env            []string
  	return strings.EqualFold(flat[rootPermissionKey], "write")
+ }
 +var gitObjectIDRE = regexp.MustCompile(`^[0-9a-fA-F]{40,64}$`)
++
 +func validateCheckoutURL(raw string) (string, error) {
 +	raw = strings.TrimSpace(raw)
 +	if raw == "" {
 +		return "", errors.New("runner engine: checkout url is required")
 +	}
 +	u, err := url.Parse(raw)
 +	if err != nil || u.Scheme == "" || u.Host == "" {
 +		return "", fmt.Errorf("runner engine: invalid checkout url %q", raw)
 +	}
 +	if u.User != nil {
 +		return "", errors.New("runner engine: checkout url must not contain credentials")
 +	}
 +	switch strings.ToLower(u.Scheme) {
 +	case "http", "https":
 +	default:
 +		return "", fmt.Errorf("runner engine: checkout url scheme %q is not allowed", u.Scheme)
 +	}
 +	return u.String(), nil
 +}
++
 +func checkoutDepthArgs(with map[string]string) ([]string, error) {
 +	for key := range with {
 +		if key != "fetch-depth" {
 +			return nil, fmt.Errorf("runner engine: unsupported checkout input %q", key)
 +		}
 +	}
 +	raw := strings.TrimSpace(with["fetch-depth"])
 +	if raw == "" {
 +		return []string{"--depth=1"}, nil
 +	}
 +	depth, err := strconv.Atoi(raw)
 +	if err != nil || depth < 0 || depth > 100000 {
 +		return nil, fmt.Errorf("runner engine: invalid checkout fetch-depth %q", raw)
 +	}
 +	if depth == 0 {
 +		return nil, nil
 +	}
 +	return []string{"--depth=" + strconv.Itoa(depth)}, nil
 +}
++
 +func shortObjectID(oid string) string {
 +	if len(oid) <= 12 {
 +		return oid
 +	}
 +	return oid[:12]
 +}
++
 +func redactCheckoutArgs(args []string) []string {
 +	out := append([]string{}, args...)
 +	for i, arg := range out {
 +		if strings.Contains(arg, "SHITHUB_CHECKOUT_TOKEN") {
 +			out[i] = "credential.helper=<redacted>"
 +		}
 +	}
 +	return out
 +}
++
  func (d *Docker) StreamLogs(_ context.Context, jobID int64) (<-chan LogChunk, error) {
  	return d.ensureStream(jobID), nil
+ }

internal/runner/engine/docker_test.gomodified

  	d := NewDocker(DockerConfig{DefaultImage: "runner-image", Network: "bridge", Memory: "2g", CPUs: "2", Runner: &recordingRunner{}})
  	out, err := d.Execute(t.Context(), Job{
  		WorkspaceDir: t.TempDir(),
 -		Steps:        []Step{{Uses: "actions/checkout@v4"}},
 +		Steps:        []Step{{Uses: "shithub/upload-artifact@v1"}},
  	})
  	if !errors.Is(err, ErrUnsupportedUses) {
  		t.Fatalf("error: %v", err)
+ 	}
+ }
 +type checkoutRunner struct {
 +	calls []checkoutCall
 +}
++
 +type checkoutCall struct {
 +	name string
 +	args []string
 +	env  []string
 +}
++
 +func (r *checkoutRunner) Run(_ context.Context, name string, args []string, env []string, stdout, _ io.Writer) error {
 +	r.calls = append(r.calls, checkoutCall{
 +		name: name,
 +		args: append([]string{}, args...),
 +		env:  append([]string{}, env...),
 +	})
 +	if len(args) >= 4 && args[len(args)-2] == "rev-parse" && args[len(args)-1] == "HEAD" {
 +		_, _ = stdout.Write([]byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"))
 +	}
 +	return nil
 +}
++
 +func TestDockerExecute_CheckoutUsesScopedCredentialAndVerifiesHead(t *testing.T) {
 +	t.Parallel()
 +	rec := &checkoutRunner{}
 +	d := NewDocker(DockerConfig{
 +		GitBinary:     "git-test",
 +		DefaultImage:  "runner-image",
 +		Network:       "bridge",
 +		Memory:        "2g",
 +		CPUs:          "2",
 +		LogChunkBytes: 1024,
 +		Runner:        rec,
 +	})
 +	out, err := d.Execute(t.Context(), Job{
 +		ID:            1,
 +		RunID:         2,
 +		CheckoutURL:   "https://shithub.test/alice/demo.git",
 +		CheckoutToken: "checkout-token",
 +		HeadSHA:       "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 +		HeadRef:       "refs/heads/trunk",
 +		WorkspaceDir:  t.TempDir(),
 +		Steps: []Step{{
 +			ID:   10,
 +			Uses: "actions/checkout@v4",
 +			With: map[string]string{"fetch-depth": "0"},
 +		}},
 +	})
 +	if err != nil {
 +		t.Fatalf("Execute: %v", err)
 +	}
 +	if out.Conclusion != ConclusionSuccess {
 +		t.Fatalf("Conclusion: %q", out.Conclusion)
 +	}
 +	if len(rec.calls) != 5 {
 +		t.Fatalf("git calls: got %d want 5: %#v", len(rec.calls), rec.calls)
 +	}
 +	want := [][]string{
 +		{"-C", rec.calls[0].args[1], "init"},
 +		{"-C", rec.calls[1].args[1], "remote", "add", "origin", "https://shithub.test/alice/demo.git"},
 +		{"-C", rec.calls[2].args[1], "-c", rec.calls[2].args[3], "fetch", "--no-tags", "origin", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
 +		{"-C", rec.calls[3].args[1], "checkout", "--force", "--detach", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
 +		{"-C", rec.calls[4].args[1], "rev-parse", "HEAD"},
 +	}
 +	for i := range want {
 +		if rec.calls[i].name != "git-test" {
 +			t.Fatalf("call %d name = %q", i, rec.calls[i].name)
 +		}
 +		if !reflect.DeepEqual(rec.calls[i].args, want[i]) {
 +			t.Fatalf("call %d args:\ngot  %#v\nwant %#v", i, rec.calls[i].args, want[i])
 +		}
 +	}
 +	if strings.Contains(strings.Join(rec.calls[2].args, " "), "checkout-token") {
 +		t.Fatalf("checkout token leaked into argv: %#v", rec.calls[2].args)
 +	}
 +	if !containsEnv(rec.calls[2].env, "SHITHUB_CHECKOUT_TOKEN=checkout-token") {
 +		t.Fatalf("checkout token missing from git env: %#v", rec.calls[2].env)
 +	}
 +	if rec.calls[2].args[3] != `credential.helper=!f() { echo username=shithub-actions; echo password=$SHITHUB_CHECKOUT_TOKEN; }; f` {
 +		t.Fatalf("credential helper: %q", rec.calls[2].args[3])
 +	}
 +}
++
 +func TestCheckoutDepthArgsRejectsUnsupportedInputs(t *testing.T) {
 +	t.Parallel()
 +	if _, err := checkoutDepthArgs(map[string]string{"path": "src"}); err == nil || !strings.Contains(err.Error(), `unsupported checkout input "path"`) {
 +		t.Fatalf("checkoutDepthArgs error = %v", err)
 +	}
 +}
++
  func TestContainerWorkdirRejectsEscapes(t *testing.T) {
  	t.Parallel()
  	for _, wd := range []string{"../x", "/tmp"} {

internal/runner/engine/types.gomodified

  	RunIndex       int64
  	WorkflowFile   string
  	WorkflowName   string
 +	CheckoutURL    string
 +	CheckoutToken  string
  	HeadSHA        string
  	HeadRef        string
  	Event          string

internal/runner/runner.gomodified

  		RunIndex:       job.RunIndex,
  		WorkflowFile:   job.WorkflowFile,
  		WorkflowName:   job.WorkflowName,
 +		CheckoutURL:    job.CheckoutURL,
 +		CheckoutToken:  job.CheckoutToken,
  		HeadSHA:        job.HeadSHA,
  		HeadRef:        job.HeadRef,
  		Event:          job.Event,

internal/web/githttp_wiring.gomodified

  	"github.com/jackc/pgx/v5/pgxpool"
 +	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/infra/config"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	githttph "github.com/tenseleyFlow/shithub/internal/web/handlers/githttp"
  func buildGitHTTPHandlers(
  	cfg config.Config,
  	pool *pgxpool.Pool,
 +	runnerJWT *runnerjwt.Signer,
  	logger *slog.Logger,
  ) (*githttph.Handlers, error) {
  	if cfg.Storage.ReposRoot == "" {
  		return nil, fmt.Errorf("git-http: NewRepoFS: %w", err)
+ 	}
  	return githttph.New(githttph.Deps{
 -		Logger: logger,
 -		Pool:   pool,
 -		RepoFS: rfs,
 +		Logger:    logger,
 +		Pool:      pool,
 +		RepoFS:    rfs,
 +		RunnerJWT: runnerJWT,
  	})
+ }

internal/web/handlers/api/runners.gomodified

  	"fmt"
  	"io"
  	"net/http"
 +	"net/url"
  	"regexp"
  	"sort"
  	"strconv"
  		JobID:    job.ID,
  		RunID:    job.RunID,
  		RepoID:   job.RepoID,
 +		Purpose:  runnerjwt.PurposeAPI,
  	})
  	if err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "runner jwt mint failed", "runner_id", runner.ID, "job_id", job.ID, "error", err)
  		writeAPIError(w, http.StatusInternalServerError, "runner token mint failed")
  		return
+ 	}
 +	checkoutToken, _, err := h.d.RunnerJWT.Mint(runnerjwt.MintParams{
 +		RunnerID: runner.ID,
 +		JobID:    job.ID,
 +		RunID:    job.RunID,
 +		RepoID:   job.RepoID,
 +		Purpose:  runnerjwt.PurposeCheckout,
 +	})
 +	if err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "runner checkout token mint failed", "runner_id", runner.ID, "job_id", job.ID, "error", err)
 +		writeAPIError(w, http.StatusInternalServerError, "runner checkout token mint failed")
 +		return
 +	}
  	metrics.ActionsRunnerHeartbeatsTotal.WithLabelValues("claimed").Inc()
 -	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Inc()
 -	writeJSON(w, http.StatusOK, presentRunnerClaim(job, steps, resolvedSecrets, token, time.Unix(claims.Exp, 0)))
 +	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Add(2)
 +	writeJSON(w, http.StatusOK, h.presentRunnerClaim(job, steps, resolvedSecrets, token, checkoutToken, time.Unix(claims.Exp, 0)))
+ }
  func (h *Handlers) authenticateRunner(w http.ResponseWriter, r *http.Request) (actionsdb.GetRunnerByTokenHashRow, bool) {
  		writeAPIError(w, http.StatusUnauthorized, "job token invalid")
  		return runnerJobAuth{}, false
+ 	}
 +	if claims.Purpose != "" && claims.Purpose != runnerjwt.PurposeAPI {
 +		metrics.ActionsRunnerJWTTotal.WithLabelValues("rejected").Inc()
 +		writeAPIError(w, http.StatusUnauthorized, "job token invalid")
 +		return runnerJobAuth{}, false
 +	}
  	if claims.JobID != pathJobID {
  		writeAPIError(w, http.StatusNotFound, "job not found")
  		return runnerJobAuth{}, false
  		JobID:    auth.Claims.JobID,
  		RunID:    auth.Claims.RunID,
  		RepoID:   auth.Claims.RepoID,
 +		Purpose:  runnerjwt.PurposeAPI,
  	})
  	if err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "runner next-token mint failed", "job_id", auth.Claims.JobID, "error", err)
  	RunIndex       int64             `json:"run_index"`
  	WorkflowFile   string            `json:"workflow_file"`
  	WorkflowName   string            `json:"workflow_name"`
 +	CheckoutURL    string            `json:"checkout_url"`
 +	CheckoutToken  string            `json:"checkout_token"`
  	HeadSHA        string            `json:"head_sha"`
  	HeadRef        string            `json:"head_ref"`
  	Event          string            `json:"event"`
  	ContinueOnError  bool            `json:"continue_on_error"`
+ }
 -func presentRunnerClaim(
 +func (h *Handlers) presentRunnerClaim(
  	job actionsdb.ClaimQueuedWorkflowJobRow,
  	steps []actionsdb.ListRunnerStepsForJobRow,
  	resolvedSecrets map[string]string,
  	token string,
 +	checkoutToken string,
  	expiresAt time.Time,
  ) runnerClaimResponse {
  	outSteps := make([]runnerStep, 0, len(steps))
  			RunIndex:       job.RunIndex,
  			WorkflowFile:   job.WorkflowFile,
  			WorkflowName:   job.WorkflowName,
 +			CheckoutURL:    h.checkoutURL(job.RepoOwner, job.RepoName),
 +			CheckoutToken:  checkoutToken,
  			HeadSHA:        job.HeadSha,
  			HeadRef:        job.HeadRef,
  			Event:          string(job.Event),
+ 	}
+ }
 +func (h *Handlers) checkoutURL(owner, repoName string) string {
 +	base := strings.TrimRight(strings.TrimSpace(h.d.BaseURL), "/")
 +	if base == "" {
 +		return ""
 +	}
 +	return base + "/" + url.PathEscape(owner) + "/" + url.PathEscape(repoName) + ".git"
 +}
++
  func rawJSONOrObject(b []byte) json.RawMessage {
  	if len(b) == 0 || !json.Valid(b) {
  		return json.RawMessage(`{}`)

internal/web/handlers/api/runners_test.gomodified

  	var resp struct {
  		Token string `json:"token"`
  		Job   struct {
 -			ID           int64          `json:"id"`
 -			RunID        int64          `json:"run_id"`
 -			RepoID       int64          `json:"repo_id"`
 -			EventPayload map[string]any `json:"event_payload"`
 -			Steps        []struct {
 +			ID            int64          `json:"id"`
 +			RunID         int64          `json:"run_id"`
 +			RepoID        int64          `json:"repo_id"`
 +			CheckoutURL   string         `json:"checkout_url"`
 +			CheckoutToken string         `json:"checkout_token"`
 +			EventPayload  map[string]any `json:"event_payload"`
 +			Steps         []struct {
  				Run  string `json:"run"`
  				Uses string `json:"uses"`
  			} `json:"steps"`
  	if resp.Job.RunID != runID || resp.Job.RepoID != repoID || len(resp.Job.Steps) != 2 {
  		t.Fatalf("unexpected job payload: %+v", resp.Job)
+ 	}
 +	if resp.Job.CheckoutURL != "https://shithub.test/alice/demo.git" || resp.Job.CheckoutToken == "" {
 +		t.Fatalf("checkout payload: url=%q token_empty=%t", resp.Job.CheckoutURL, resp.Job.CheckoutToken == "")
 +	}
  	if resp.Job.EventPayload["ref"] != "refs/heads/trunk" {
  		t.Fatalf("event payload not returned to runner: %#v", resp.Job.EventPayload)
+ 	}
  	if claimRunnerID != runnerID {
  		t.Fatalf("claims runner_id: got %d, want %d", claimRunnerID, runnerID)
+ 	}
 +	if claims.Purpose != runnerjwt.PurposeAPI {
 +		t.Fatalf("api token purpose: got %q", claims.Purpose)
 +	}
 +	checkoutClaims, err := signer.Verify(resp.Job.CheckoutToken)
 +	if err != nil {
 +		t.Fatalf("verify checkout token: %v", err)
 +	}
 +	if checkoutClaims.JobID != resp.Job.ID || checkoutClaims.RunID != runID || checkoutClaims.RepoID != repoID ||
 +		checkoutClaims.Purpose != runnerjwt.PurposeCheckout {
 +		t.Fatalf("checkout claims/job mismatch: claims=%+v job=%+v", checkoutClaims, resp.Job)
 +	}
  	var logResp struct {
  		Accepted  bool   `json:"accepted"`
  	h, err := apih.New(apih.Deps{
  		Pool:        pool,
  		Logger:      logger,
 +		BaseURL:     "https://shithub.test",
  		RunnerJWT:   signer,
  		ObjectStore: store,
  	})
  	h, err := apih.New(apih.Deps{
  		Pool:      pool,
  		Logger:    logger,
 +		BaseURL:   "https://shithub.test",
  		RunnerJWT: signer,
  		RepoFS:    rfs,
  	})
  	h, err := apih.New(apih.Deps{
  		Pool:      pool,
  		Logger:    logger,
 +		BaseURL:   "https://shithub.test",
  		RunnerJWT: signer,
  		SecretBox: box,
  	})

internal/web/handlers/githttp/auth.gomodified

  	"strings"
  	"time"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/auth/password"
  	"github.com/tenseleyFlow/shithub/internal/auth/pat"
 +	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
+ )
  // resolvedAuth carries the resolved identity for a git-over-HTTPS
  // callers decide whether anonymous is allowed (yes for pulling a public
  // repo, no for everything else).
  type resolvedAuth struct {
 -	Anonymous bool
 -	UserID    int64
 -	Username  string
 -	ViaPAT    bool
 +	Anonymous          bool
 +	UserID             int64
 +	Username           string
 +	ViaPAT             bool
 +	ViaRunnerCheckout  bool
 +	RunnerCheckoutRepo int64
+ }
  // errBadCredentials is the catch-all for "creds were sent but didn't
  		return resolvedAuth{}, errBadCredentials
+ 	}
 +	if got, err := h.resolveViaRunnerCheckout(ctx, secret); err == nil {
 +		return got, nil
 +	}
  	if strings.HasPrefix(secret, pat.Prefix) {
  		if got, err := h.resolveViaPAT(ctx, secret); err == nil {
  			return got, nil
  	return h.resolveViaPassword(ctx, user, secret)
+ }
 +func (h *Handlers) resolveViaRunnerCheckout(ctx context.Context, raw string) (resolvedAuth, error) {
 +	if h.d.RunnerJWT == nil || raw == "" {
 +		return resolvedAuth{}, errBadCredentials
 +	}
 +	claims, err := h.d.RunnerJWT.Verify(raw)
 +	if err != nil || claims.Purpose != runnerjwt.PurposeCheckout {
 +		return resolvedAuth{}, errBadCredentials
 +	}
 +	runnerID, err := claims.RunnerID()
 +	if err != nil {
 +		return resolvedAuth{}, errBadCredentials
 +	}
 +	job, err := h.aq.GetWorkflowJobByID(ctx, h.d.Pool, claims.JobID)
 +	if err != nil {
 +		return resolvedAuth{}, errBadCredentials
 +	}
 +	run, err := h.aq.GetWorkflowRunByID(ctx, h.d.Pool, job.RunID)
 +	if err != nil {
 +		return resolvedAuth{}, errBadCredentials
 +	}
 +	if job.RunID != claims.RunID ||
 +		run.RepoID != claims.RepoID ||
 +		job.Status != actionsdb.WorkflowJobStatusRunning ||
 +		!job.RunnerID.Valid ||
 +		job.RunnerID.Int64 != runnerID {
 +		return resolvedAuth{}, errBadCredentials
 +	}
 +	return resolvedAuth{
 +		Username:           "shithub-actions",
 +		ViaRunnerCheckout:  true,
 +		RunnerCheckoutRepo: claims.RepoID,
 +	}, nil
 +}
++
  // resolveViaPAT looks up the token by its sha256 hash, checks
  // revoked/expired/suspended, and returns the owning user. Returns
  // errBadCredentials on any failure (no leak about which check failed).

internal/web/handlers/githttp/githttp.gomodified

  	"github.com/jackc/pgx/v5/pgxpool"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
 +	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  // Deps wires the git-HTTP handler set.
  type Deps struct {
 -	Logger *slog.Logger
 -	Pool   *pgxpool.Pool
 -	RepoFS *storage.RepoFS
 +	Logger    *slog.Logger
 +	Pool      *pgxpool.Pool
 +	RepoFS    *storage.RepoFS
 +	RunnerJWT *runnerjwt.Signer
  	// MaxPushBytes is the hard cap on the git-receive-pack request body.
  	// Defaults to 2 GiB when zero.
  	MaxPushBytes int64
  // Handlers is the registered handler set. Construct via New.
  type Handlers struct {
  	d  Deps
 +	aq *actionsdb.Queries
  	uq *usersdb.Queries
  	rq *reposdb.Queries
  	oq *orgsdb.Queries
  	if d.MaxPushBytes == 0 {
  		d.MaxPushBytes = DefaultMaxPushBytes
+ 	}
 -	return &Handlers{d: d, uq: usersdb.New(), rq: reposdb.New(), oq: orgsdb.New()}, nil
 +	return &Handlers{d: d, aq: actionsdb.New(), uq: usersdb.New(), rq: reposdb.New(), oq: orgsdb.New()}, nil
+ }

internal/web/handlers/githttp/githttp_test.gomodified

  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/jackc/pgx/v5/pgxpool"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/pat"
 +	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  // private repo, mounts the smart-HTTP handlers on a httptest server,
  // and returns everything callers need.
  type env struct {
 -	srv      *httptest.Server
 -	pool     *pgxpool.Pool
 -	userID   int64
 -	user     string
 -	pwd      string
 -	patRaw   string
 -	pubRepo  string
 -	privRepo string
 -	root     string
 +	srv        *httptest.Server
 +	pool       *pgxpool.Pool
 +	userID     int64
 +	user       string
 +	pwd        string
 +	patRaw     string
 +	pubRepo    string
 +	pubRepoID  int64
 +	privRepo   string
 +	privRepoID int64
 +	root       string
 +	runnerJWT  *runnerjwt.Signer
+ }
  func setupEnv(t *testing.T) *env {
  		Pool: pool, RepoFS: rfs, Audit: audit.NewRecorder(), Limiter: throttle.NewLimiter(),
  		Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
+ 	}
 -	if _, err := repos.Create(context.Background(), rdeps, repos.Params{
 +	publicRes, err := repos.Create(context.Background(), rdeps, repos.Params{
  		OwnerUserID: user.ID, OwnerUsername: user.Username,
  		Name: "public-repo", Visibility: "public", InitReadme: true,
 -	}); err != nil {
 +	})
 +	if err != nil {
  		t.Fatalf("create public: %v", err)
+ 	}
 -	if _, err := repos.Create(context.Background(), rdeps, repos.Params{
 +	privateRes, err := repos.Create(context.Background(), rdeps, repos.Params{
  		OwnerUserID: user.ID, OwnerUsername: user.Username,
  		Name: "private-repo", Visibility: "private", InitReadme: true,
 -	}); err != nil {
 +	})
 +	if err != nil {
  		t.Fatalf("create private: %v", err)
+ 	}
  		t.Fatalf("create PAT row: %v", err)
+ 	}
 +	runnerJWT := runnerHTTPSigner(t)
  	h, err := githttph.New(githttph.Deps{
  		Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
 -		Pool:   pool, RepoFS: rfs,
 +		Pool:   pool, RepoFS: rfs, RunnerJWT: runnerJWT,
  	})
  	if err != nil {
  		t.Fatalf("New: %v", err)
  	return &env{
  		srv: srv, pool: pool, userID: user.ID,
  		user: "alice", pwd: "wrong-not-real-password", patRaw: raw,
 -		pubRepo: "public-repo", privRepo: "private-repo", root: root,
 +		pubRepo: "public-repo", pubRepoID: publicRes.Repo.ID,
 +		privRepo: "private-repo", privRepoID: privateRes.Repo.ID,
 +		root: root, runnerJWT: runnerJWT,
+ 	}
+ }
+ 	}
+ }
 +func TestGitHTTP_RunnerCheckoutTokenClonesPrivateRepoReadOnly(t *testing.T) {
 +	t.Parallel()
 +	env := setupEnv(t)
 +	token := env.runnerCheckoutToken(t, env.privRepoID)
++
 +	dst := filepath.Join(t.TempDir(), "clone")
 +	cloneURL := authedURL(env.srv.URL, "shithub-actions", token, "/alice/private-repo.git")
 +	out, err := gitCmd("clone", cloneURL, dst).CombinedOutput()
 +	if err != nil {
 +		t.Fatalf("clone with checkout token: %v\n%s", err, out)
 +	}
 +	out, err = gitCmd("-C", dst, "rev-list", "--count", "HEAD").CombinedOutput()
 +	if err != nil {
 +		t.Fatalf("rev-list: %v\n%s", err, out)
 +	}
 +	if got := strings.TrimSpace(string(out)); got != "1" {
 +		t.Fatalf("rev-list = %q, want 1", got)
 +	}
++
 +	for _, c := range [][]string{
 +		{"-C", dst, "config", "user.name", "Runner"},
 +		{"-C", dst, "config", "user.email", "runner@example.test"},
 +	} {
 +		if out, err := gitCmd(c...).CombinedOutput(); err != nil {
 +			t.Fatalf("config: %v\n%s", err, out)
 +		}
 +	}
 +	if err := writeFile(filepath.Join(dst, "blocked.txt"), "x\n"); err != nil {
 +		t.Fatalf("write: %v", err)
 +	}
 +	for _, c := range [][]string{
 +		{"-C", dst, "add", "blocked.txt"},
 +		{"-C", dst, "commit", "-m", "blocked"},
 +	} {
 +		if out, err := gitCmd(c...).CombinedOutput(); err != nil {
 +			t.Fatalf("git %v: %v\n%s", c, err, out)
 +		}
 +	}
 +	out, err = gitCmd("-C", dst, "push", "origin", "trunk").CombinedOutput()
 +	if err == nil {
 +		t.Fatalf("checkout token push unexpectedly succeeded: %s", out)
 +	}
 +	if !strings.Contains(string(out), "read-only") {
 +		t.Fatalf("expected read-only checkout-token message, got: %s", out)
 +	}
 +}
++
 +func TestGitHTTP_RunnerCheckoutTokenCannotReadOtherRepo(t *testing.T) {
 +	t.Parallel()
 +	env := setupEnv(t)
 +	token := env.runnerCheckoutToken(t, env.pubRepoID)
 +	dst := filepath.Join(t.TempDir(), "clone")
 +	cmd := gitCmd("clone", authedURL(env.srv.URL, "shithub-actions", token, "/alice/private-repo.git"), dst)
 +	cmd.Env = append(cmd.Environ(), "GIT_TERMINAL_PROMPT=0", "GIT_ASKPASS=/bin/false")
 +	out, err := cmd.CombinedOutput()
 +	if err == nil {
 +		t.Fatalf("expected checkout token for public repo to fail against private repo; output: %s", out)
 +	}
 +}
++
  func TestGitHTTP_PATPushRoundtrip(t *testing.T) {
  	t.Parallel()
  	env := setupEnv(t)
  	return os.WriteFile(path, []byte(body), 0o600)
+ }
 +func (e *env) runnerCheckoutToken(t *testing.T, repoID int64) string {
 +	t.Helper()
 +	ctx := context.Background()
 +	q := actionsdb.New()
 +	runner, err := q.InsertRunner(ctx, e.pool, actionsdb.InsertRunnerParams{
 +		Name:     "runner-" + e.privRepo,
 +		Labels:   []string{"ubuntu-latest"},
 +		Capacity: 1,
 +	})
 +	if err != nil {
 +		t.Fatalf("InsertRunner: %v", err)
 +	}
 +	run, err := q.InsertWorkflowRun(ctx, e.pool, actionsdb.InsertWorkflowRunParams{
 +		RepoID:       repoID,
 +		RunIndex:     1,
 +		WorkflowFile: ".shithub/workflows/ci.yml",
 +		WorkflowName: "CI",
 +		HeadSha:      strings.Repeat("a", 40),
 +		HeadRef:      "refs/heads/trunk",
 +		Event:        actionsdb.WorkflowRunEventPush,
 +		EventPayload: []byte(`{}`),
 +		ActorUserID:  pgtype.Int8{Int64: e.userID, Valid: true},
 +	})
 +	if err != nil {
 +		t.Fatalf("InsertWorkflowRun: %v", err)
 +	}
 +	job, err := q.InsertWorkflowJob(ctx, e.pool, actionsdb.InsertWorkflowJobParams{
 +		RunID:          run.ID,
 +		JobIndex:       0,
 +		JobKey:         "checkout",
 +		JobName:        "checkout",
 +		RunsOn:         "ubuntu-latest",
 +		NeedsJobs:      []string{},
 +		TimeoutMinutes: 30,
 +		Permissions:    []byte(`{}`),
 +		JobEnv:         []byte(`{}`),
 +	})
 +	if err != nil {
 +		t.Fatalf("InsertWorkflowJob: %v", err)
 +	}
 +	if _, err := e.pool.Exec(ctx, `UPDATE workflow_jobs SET runner_id = $1, status = 'running', started_at = now() WHERE id = $2`, runner.ID, job.ID); err != nil {
 +		t.Fatalf("mark job running: %v", err)
 +	}
 +	token, _, err := e.runnerJWT.Mint(runnerjwt.MintParams{
 +		RunnerID: runner.ID,
 +		JobID:    job.ID,
 +		RunID:    run.ID,
 +		RepoID:   repoID,
 +		Purpose:  runnerjwt.PurposeCheckout,
 +	})
 +	if err != nil {
 +		t.Fatalf("Mint checkout token: %v", err)
 +	}
 +	return token
 +}
++
 +func runnerHTTPSigner(t *testing.T) *runnerjwt.Signer {
 +	t.Helper()
 +	signer, err := runnerjwt.NewFromKey(
 +		bytesOf(0x88, 32),
 +		runnerjwt.WithClock(func() time.Time { return time.Now().UTC() }),
 +	)
 +	if err != nil {
 +		t.Fatalf("runnerjwt.NewFromKey: %v", err)
 +	}
 +	return signer
 +}
++
 +func bytesOf(b byte, n int) []byte {
 +	out := make([]byte, n)
 +	for i := range out {
 +		out[i] = b
 +	}
 +	return out
 +}
++
  // TestGitHTTP_AnonCloneOrgOwnedPublic is a regression for an outage
  // on 2026-05-09: pushing to https://shithub.sh/tenseleyflow/shithub.git
  // returned 404 because authorizeForService only resolved owner-slugs

internal/web/handlers/githttp/handler.gomodified

  		writeChallenge(w)
  		return reposdb.Repo{}, false
+ 	}
 +	if auth.ViaRunnerCheckout {
 +		if svc != protocol.UploadPack {
 +			writeGitErrorMessage(w, http.StatusForbidden,
 +				"shithub Actions checkout credentials are read-only")
 +			return reposdb.Repo{}, false
 +		}
 +		if auth.RunnerCheckoutRepo != row.ID {
 +			http.Error(w, "not found", http.StatusNotFound)
 +			return reposdb.Repo{}, false
 +		}
 +		return row, true
 +	}
  	// Build the policy actor and ask Can(). Owner identity, collab role,
  	// archived/deleted gates all live in the policy package now.

internal/web/server.gomodified


 			})
 		}
 
-		gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, logger)
+		gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, runnerJWT, logger)
 		if err != nil {
 			return fmt.Errorf("git-http handlers: %w", err)
 		}

`@@ -338,7 +338,7 @@` func Run(ctx context.Context, opts Options) error {
338	338	})
339	339	}
340	340
341		- gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, logger)
	341	+ gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, runnerJWT, logger)
342	342	if err != nil {
343	343	return fmt.Errorf("git-http handlers: %w", err)
344	344	}

tenseleyflow/shithub / `33b66c6`

17 changed files