actions/runner: support scoped checkout

Status	File	+	-
M	`internal/actions/queries/workflow_jobs.sql`	7	2
M	`internal/actions/sqlc/workflow_jobs.sql.go`	10	1
M	`internal/auth/runnerjwt/jwt.go`	27	12
M	`internal/auth/runnerjwt/jwt_test.go`	29	0
M	`internal/runner/api/client.go`	2	0
M	`internal/runner/engine/docker.go`	150	2
M	`internal/runner/engine/docker_test.go`	91	1
M	`internal/runner/engine/types.go`	2	0
M	`internal/runner/runner.go`	2	0
M	`internal/web/githttp_wiring.go`	6	3
M	`internal/web/handlers/api/runners.go`	36	3
M	`internal/web/handlers/api/runners_test.go`	24	5
M	`internal/web/handlers/githttp/auth.go`	45	4
M	`internal/web/handlers/githttp/githttp.go`	8	4
M	`internal/web/handlers/githttp/githttp_test.go`	161	15
M	`internal/web/handlers/githttp/handler.go`	12	0
M	`internal/web/server.go`	1	1

internal/actions/queries/workflow_jobs.sqlmodified

         c.cancel_requested, c.started_at, c.completed_at, c.version,
         c.created_at, c.updated_at,
         r.repo_id, r.run_index, r.workflow_file, r.workflow_name,
--       r.head_sha, r.head_ref, r.event, r.event_payload
++       r.head_sha, r.head_ref, r.event, r.event_payload,
++       COALESCE(owner_user.username, owner_org.slug)::text AS repo_owner,
++       repo.name AS repo_name
  FROM claimed c
--JOIN workflow_runs r ON r.id = c.run_id;
++JOIN workflow_runs r ON r.id = c.run_id
++JOIN repos repo ON repo.id = r.repo_id
++LEFT JOIN users owner_user ON owner_user.id = repo.owner_user_id
++LEFT JOIN orgs owner_org ON owner_org.id = repo.owner_org_id;
  -- name: ListJobsForRun :many
  SELECT id, run_id, job_index, job_key, job_name, runs_on, status,

internal/actions/sqlc/workflow_jobs.sql.gomodified

         c.cancel_requested, c.started_at, c.completed_at, c.version,
         c.created_at, c.updated_at,
         r.repo_id, r.run_index, r.workflow_file, r.workflow_name,
--       r.head_sha, r.head_ref, r.event, r.event_payload
++       r.head_sha, r.head_ref, r.event, r.event_payload,
++       COALESCE(owner_user.username, owner_org.slug)::text AS repo_owner,
++       repo.name AS repo_name
  FROM claimed c
  JOIN workflow_runs r ON r.id = c.run_id
++JOIN repos repo ON repo.id = r.repo_id
++LEFT JOIN users owner_user ON owner_user.id = repo.owner_user_id
++LEFT JOIN orgs owner_org ON owner_org.id = repo.owner_org_id
  `
  type ClaimQueuedWorkflowJobParams struct {
  	HeadRef         string
  	Event           WorkflowRunEvent
  	EventPayload    []byte
++	RepoOwner       string
++	RepoName        string
  }
  func (q *Queries) ClaimQueuedWorkflowJob(ctx context.Context, db DBTX, arg ClaimQueuedWorkflowJobParams) (ClaimQueuedWorkflowJobRow, error) {
  		&i.HeadRef,
  		&i.Event,
  		&i.EventPayload,
++		&i.RepoOwner,
++		&i.RepoName,
  	)
  	return i, err
  }

internal/auth/runnerjwt/jwt.gomodified

  	// DefaultTTL is the runner job-token lifetime from the S41c contract.
  	DefaultTTL = 15 * time.Minute
++	PurposeAPI      = "api"
++	PurposeCheckout = "checkout"
++
  	signingKeySize = 32
  	hkdfInfo       = "actions-runner-jwt-v1"
  	jtiBytes       = 32
  // Claims are the JWT payload fields accepted by runner job endpoints.
  type Claims struct {
--	Sub    string `json:"sub"`
++	Sub     string `json:"sub"`
--	JobID  int64  `json:"job_id"`
++	JobID   int64  `json:"job_id"`
--	RunID  int64  `json:"run_id"`
++	RunID   int64  `json:"run_id"`
--	RepoID int64  `json:"repo_id"`
++	RepoID  int64  `json:"repo_id"`
--	Exp    int64  `json:"exp"`
++	Exp     int64  `json:"exp"`
--	JTI    string `json:"jti"`
++	JTI     string `json:"jti"`
++	Purpose string `json:"purpose,omitempty"`
+ }
  // RunnerID extracts the runner id encoded in sub="runner:<id>".
  	RunID    int64
  	RepoID   int64
  	TTL      time.Duration
++	Purpose  string
+ }
  // Signer signs and verifies HS256 runner JWTs.
  	if err != nil {
  		return "", Claims{}, err
+ 	}
++	purpose := p.Purpose
++	if purpose == "" {
++		purpose = PurposeAPI
++	}
  	claims := Claims{
--		Sub:    fmt.Sprintf("runner:%d", p.RunnerID),
++		Sub:     fmt.Sprintf("runner:%d", p.RunnerID),
--		JobID:  p.JobID,
++		JobID:   p.JobID,
--		RunID:  p.RunID,
++		RunID:   p.RunID,
--		RepoID: p.RepoID,
++		RepoID:  p.RepoID,
--		Exp:    s.now().Add(ttl).Unix(),
++		Exp:     s.now().Add(ttl).Unix(),
--		JTI:    jti,
++		JTI:     jti,
++		Purpose: purpose,
+ 	}
  	if err := validateClaims(claims); err != nil {
  		return "", Claims{}, err
  	if c.JobID <= 0 || c.RunID <= 0 || c.RepoID <= 0 || c.Exp <= 0 {
  		return ErrInvalidClaims
+ 	}
++	switch c.Purpose {
++	case "", PurposeAPI, PurposeCheckout:
++	default:
++		return ErrInvalidClaims
++	}
  	if len(c.JTI) < 16 || len(c.JTI) > 128 {
  		return ErrInvalidClaims
+ 	}

internal/auth/runnerjwt/jwt_test.gomodified

  	if claims.Exp != now.Add(runnerjwt.DefaultTTL).Unix() {
  		t.Fatalf("exp: got %d, want %d", claims.Exp, now.Add(runnerjwt.DefaultTTL).Unix())
+ 	}
++	if claims.Purpose != runnerjwt.PurposeAPI {
++		t.Fatalf("purpose: got %q, want %q", claims.Purpose, runnerjwt.PurposeAPI)
++	}
  	runnerID, err := claims.RunnerID()
  	if err != nil {
  		t.Fatalf("RunnerID: %v", err)
+ 	}
+ }
++func TestMintVerifyCheckoutPurpose(t *testing.T) {
++	now := time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC)
++	signer := newTestSigner(t, now, bytesOf(0x66, 32))
++
++	token, claims, err := signer.Mint(runnerjwt.MintParams{
++		RunnerID: 7,
++		JobID:    11,
++		RunID:    13,
++		RepoID:   17,
++		Purpose:  runnerjwt.PurposeCheckout,
++	})
++	if err != nil {
++		t.Fatalf("Mint: %v", err)
++	}
++	if claims.Purpose != runnerjwt.PurposeCheckout {
++		t.Fatalf("purpose: got %q, want checkout", claims.Purpose)
++	}
++	got, err := signer.Verify(token)
++	if err != nil {
++		t.Fatalf("Verify: %v", err)
++	}
++	if got.Purpose != runnerjwt.PurposeCheckout {
++		t.Fatalf("verified purpose: got %q, want checkout", got.Purpose)
++	}
++}
++
  func TestVerifyRejectsTamperedPayload(t *testing.T) {
  	signer := newTestSigner(t, time.Unix(100, 0), bytesOf(0x22, 32))
  	token, _, err := signer.Mint(runnerjwt.MintParams{RunnerID: 1, JobID: 2, RunID: 3, RepoID: 4})

internal/runner/api/client.gomodified

  	RunIndex       int64             `json:"run_index"`
  	WorkflowFile   string            `json:"workflow_file"`
  	WorkflowName   string            `json:"workflow_name"`
++	CheckoutURL    string            `json:"checkout_url"`
++	CheckoutToken  string            `json:"checkout_token"`
  	HeadSHA        string            `json:"head_sha"`
  	HeadRef        string            `json:"head_ref"`
  	Event          string            `json:"event"`

internal/runner/engine/docker.gomodified

  package engine
  import (
++	"bytes"
  	"context"
  	"encoding/json"
  	"errors"
  	"fmt"
  	"io"
  	"log/slog"
++	"net/url"
  	"os"
  	"os/exec"
  	"path"
  type DockerConfig struct {
  	Binary           string
++	GitBinary        string
  	DefaultImage     string
  	Network          string
  	Memory           string
  	if cfg.Binary == "" {
  		cfg.Binary = "docker"
+ 	}
++	if cfg.GitBinary == "" {
++		cfg.GitBinary = "git"
++	}
  	if cfg.LogChunkBytes <= 0 {
  		cfg.LogChunkBytes = 4 * 1024
+ 	}
+ }
  func (d *Docker) executeStep(ctx context.Context, job Job, step Step) error {
--	if strings.TrimSpace(step.Uses) != "" {
++	if uses := strings.TrimSpace(step.Uses); uses != "" {
--		return fmt.Errorf("%w: %s is not executable until checkout/artifact support lands", ErrUnsupportedUses, step.Uses)
++		switch uses {
++		case "actions/checkout@v4":
++			return d.executeCheckout(ctx, job, step)
++		default:
++			return fmt.Errorf("%w: %s is not executable until that alias lands", ErrUnsupportedUses, uses)
++		}
+ 	}
  	if strings.TrimSpace(step.Run) == "" {
  		return nil
  	return nil
+ }
++func (d *Docker) executeCheckout(ctx context.Context, job Job, step Step) error {
++	checkoutURL, err := validateCheckoutURL(job.CheckoutURL)
++	if err != nil {
++		return err
++	}
++	if strings.TrimSpace(job.CheckoutToken) == "" {
++		return errors.New("runner engine: checkout token is required")
++	}
++	headSHA := strings.TrimSpace(job.HeadSHA)
++	if !gitObjectIDRE.MatchString(headSHA) {
++		return fmt.Errorf("runner engine: invalid checkout sha %q", headSHA)
++	}
++	if err := os.MkdirAll(job.WorkspaceDir, 0o700); err != nil {
++		return fmt.Errorf("runner engine: prepare checkout workspace: %w", err)
++	}
++	depthArgs, err := checkoutDepthArgs(step.With)
++	if err != nil {
++		return err
++	}
++	fetchTarget := headSHA
++
++	writer := d.newStepLogWriter(ctx, job.ID, step.ID, job.MaskValues)
++	out := io.MultiWriter(d.cfg.Stdout, writer)
++	errOut := io.MultiWriter(d.cfg.Stderr, writer)
++	closeWriter := func(runErr error) error {
++		if closeErr := writer.Close(); closeErr != nil {
++			if runErr != nil {
++				return errors.Join(runErr, closeErr)
++			}
++			return closeErr
++		}
++		return runErr
++	}
++
++	fmt.Fprintf(out, "Checking out %s at %s\n", checkoutURL, shortObjectID(headSHA))
++	gitEnv := []string{
++		"GIT_TERMINAL_PROMPT=0",
++		"GIT_ASKPASS=/bin/false",
++		"SHITHUB_CHECKOUT_TOKEN=" + job.CheckoutToken,
++	}
++	//nolint:gosec // G101: this helper reads the token from env; it does not hard-code or argv-expose a secret.
++	credentialHelper := `credential.helper=!f() { echo username=shithub-actions; echo password=$SHITHUB_CHECKOUT_TOKEN; }; f`
++	runGit := func(args ...string) error {
++		if err := d.cfg.Runner.Run(ctx, d.cfg.GitBinary, args, gitEnv, out, errOut); err != nil {
++			return fmt.Errorf("git %s: %w", strings.Join(redactCheckoutArgs(args), " "), err)
++		}
++		return nil
++	}
++
++	if err := runGit("-C", job.WorkspaceDir, "init"); err != nil {
++		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
++	}
++	if err := runGit("-C", job.WorkspaceDir, "remote", "add", "origin", checkoutURL); err != nil {
++		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
++	}
++	fetchArgs := []string{"-C", job.WorkspaceDir, "-c", credentialHelper, "fetch", "--no-tags"}
++	fetchArgs = append(fetchArgs, depthArgs...)
++	fetchArgs = append(fetchArgs, "origin", fetchTarget)
++	if err := runGit(fetchArgs...); err != nil {
++		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
++	}
++	if err := runGit("-C", job.WorkspaceDir, "checkout", "--force", "--detach", headSHA); err != nil {
++		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: %w", stepLabel(step), err))
++	}
++
++	var rev bytes.Buffer
++	if err := d.cfg.Runner.Run(ctx, d.cfg.GitBinary,
++		[]string{"-C", job.WorkspaceDir, "rev-parse", "HEAD"},
++		gitEnv, io.MultiWriter(out, &rev), errOut); err != nil {
++		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: git rev-parse HEAD: %w", stepLabel(step), err))
++	}
++	if got := strings.TrimSpace(rev.String()); !strings.EqualFold(got, headSHA) {
++		return closeWriter(fmt.Errorf("runner engine: checkout step %q failed: HEAD %s != expected %s", stepLabel(step), got, headSHA))
++	}
++	fmt.Fprintf(out, "Checked out %s\n", shortObjectID(headSHA))
++	return closeWriter(nil)
++}
++
  type dockerInvocation struct {
  	args           []string
  	env            []string
  	return strings.EqualFold(flat[rootPermissionKey], "write")
+ }
++var gitObjectIDRE = regexp.MustCompile(`^[0-9a-fA-F]{40,64}$`)
++
++func validateCheckoutURL(raw string) (string, error) {
++	raw = strings.TrimSpace(raw)
++	if raw == "" {
++		return "", errors.New("runner engine: checkout url is required")
++	}
++	u, err := url.Parse(raw)
++	if err != nil || u.Scheme == "" || u.Host == "" {
++		return "", fmt.Errorf("runner engine: invalid checkout url %q", raw)
++	}
++	if u.User != nil {
++		return "", errors.New("runner engine: checkout url must not contain credentials")
++	}
++	switch strings.ToLower(u.Scheme) {
++	case "http", "https":
++	default:
++		return "", fmt.Errorf("runner engine: checkout url scheme %q is not allowed", u.Scheme)
++	}
++	return u.String(), nil
++}
++
++func checkoutDepthArgs(with map[string]string) ([]string, error) {
++	for key := range with {
++		if key != "fetch-depth" {
++			return nil, fmt.Errorf("runner engine: unsupported checkout input %q", key)
++		}
++	}
++	raw := strings.TrimSpace(with["fetch-depth"])
++	if raw == "" {
++		return []string{"--depth=1"}, nil
++	}
++	depth, err := strconv.Atoi(raw)
++	if err != nil || depth < 0 || depth > 100000 {
++		return nil, fmt.Errorf("runner engine: invalid checkout fetch-depth %q", raw)
++	}
++	if depth == 0 {
++		return nil, nil
++	}
++	return []string{"--depth=" + strconv.Itoa(depth)}, nil
++}
++
++func shortObjectID(oid string) string {
++	if len(oid) <= 12 {
++		return oid
++	}
++	return oid[:12]
++}
++
++func redactCheckoutArgs(args []string) []string {
++	out := append([]string{}, args...)
++	for i, arg := range out {
++		if strings.Contains(arg, "SHITHUB_CHECKOUT_TOKEN") {
++			out[i] = "credential.helper=<redacted>"
++		}
++	}
++	return out
++}
++
  func (d *Docker) StreamLogs(_ context.Context, jobID int64) (<-chan LogChunk, error) {
  	return d.ensureStream(jobID), nil
+ }

internal/runner/engine/docker_test.gomodified

  	d := NewDocker(DockerConfig{DefaultImage: "runner-image", Network: "bridge", Memory: "2g", CPUs: "2", Runner: &recordingRunner{}})
  	out, err := d.Execute(t.Context(), Job{
  		WorkspaceDir: t.TempDir(),
--		Steps:        []Step{{Uses: "actions/checkout@v4"}},
++		Steps:        []Step{{Uses: "shithub/upload-artifact@v1"}},
  	})
  	if !errors.Is(err, ErrUnsupportedUses) {
  		t.Fatalf("error: %v", err)
+ 	}
+ }
++type checkoutRunner struct {
++	calls []checkoutCall
++}
++
++type checkoutCall struct {
++	name string
++	args []string
++	env  []string
++}
++
++func (r *checkoutRunner) Run(_ context.Context, name string, args []string, env []string, stdout, _ io.Writer) error {
++	r.calls = append(r.calls, checkoutCall{
++		name: name,
++		args: append([]string{}, args...),
++		env:  append([]string{}, env...),
++	})
++	if len(args) >= 4 && args[len(args)-2] == "rev-parse" && args[len(args)-1] == "HEAD" {
++		_, _ = stdout.Write([]byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"))
++	}
++	return nil
++}
++
++func TestDockerExecute_CheckoutUsesScopedCredentialAndVerifiesHead(t *testing.T) {
++	t.Parallel()
++	rec := &checkoutRunner{}
++	d := NewDocker(DockerConfig{
++		GitBinary:     "git-test",
++		DefaultImage:  "runner-image",
++		Network:       "bridge",
++		Memory:        "2g",
++		CPUs:          "2",
++		LogChunkBytes: 1024,
++		Runner:        rec,
++	})
++	out, err := d.Execute(t.Context(), Job{
++		ID:            1,
++		RunID:         2,
++		CheckoutURL:   "https://shithub.test/alice/demo.git",
++		CheckoutToken: "checkout-token",
++		HeadSHA:       "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
++		HeadRef:       "refs/heads/trunk",
++		WorkspaceDir:  t.TempDir(),
++		Steps: []Step{{
++			ID:   10,
++			Uses: "actions/checkout@v4",
++			With: map[string]string{"fetch-depth": "0"},
++		}},
++	})
++	if err != nil {
++		t.Fatalf("Execute: %v", err)
++	}
++	if out.Conclusion != ConclusionSuccess {
++		t.Fatalf("Conclusion: %q", out.Conclusion)
++	}
++	if len(rec.calls) != 5 {
++		t.Fatalf("git calls: got %d want 5: %#v", len(rec.calls), rec.calls)
++	}
++	want := [][]string{
++		{"-C", rec.calls[0].args[1], "init"},
++		{"-C", rec.calls[1].args[1], "remote", "add", "origin", "https://shithub.test/alice/demo.git"},
++		{"-C", rec.calls[2].args[1], "-c", rec.calls[2].args[3], "fetch", "--no-tags", "origin", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
++		{"-C", rec.calls[3].args[1], "checkout", "--force", "--detach", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
++		{"-C", rec.calls[4].args[1], "rev-parse", "HEAD"},
++	}
++	for i := range want {
++		if rec.calls[i].name != "git-test" {
++			t.Fatalf("call %d name = %q", i, rec.calls[i].name)
++		}
++		if !reflect.DeepEqual(rec.calls[i].args, want[i]) {
++			t.Fatalf("call %d args:\ngot  %#v\nwant %#v", i, rec.calls[i].args, want[i])
++		}
++	}
++	if strings.Contains(strings.Join(rec.calls[2].args, " "), "checkout-token") {
++		t.Fatalf("checkout token leaked into argv: %#v", rec.calls[2].args)
++	}
++	if !containsEnv(rec.calls[2].env, "SHITHUB_CHECKOUT_TOKEN=checkout-token") {
++		t.Fatalf("checkout token missing from git env: %#v", rec.calls[2].env)
++	}
++	if rec.calls[2].args[3] != `credential.helper=!f() { echo username=shithub-actions; echo password=$SHITHUB_CHECKOUT_TOKEN; }; f` {
++		t.Fatalf("credential helper: %q", rec.calls[2].args[3])
++	}
++}
++
++func TestCheckoutDepthArgsRejectsUnsupportedInputs(t *testing.T) {
++	t.Parallel()
++	if _, err := checkoutDepthArgs(map[string]string{"path": "src"}); err == nil || !strings.Contains(err.Error(), `unsupported checkout input "path"`) {
++		t.Fatalf("checkoutDepthArgs error = %v", err)
++	}
++}
++
  func TestContainerWorkdirRejectsEscapes(t *testing.T) {
  	t.Parallel()
  	for _, wd := range []string{"../x", "/tmp"} {

internal/runner/engine/types.gomodified

  	RunIndex       int64
  	WorkflowFile   string
  	WorkflowName   string
++	CheckoutURL    string
++	CheckoutToken  string
  	HeadSHA        string
  	HeadRef        string
  	Event          string

internal/runner/runner.gomodified

  		RunIndex:       job.RunIndex,
  		WorkflowFile:   job.WorkflowFile,
  		WorkflowName:   job.WorkflowName,
++		CheckoutURL:    job.CheckoutURL,
++		CheckoutToken:  job.CheckoutToken,
  		HeadSHA:        job.HeadSHA,
  		HeadRef:        job.HeadRef,
  		Event:          job.Event,

internal/web/githttp_wiring.gomodified

  	"github.com/jackc/pgx/v5/pgxpool"
++	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/infra/config"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	githttph "github.com/tenseleyFlow/shithub/internal/web/handlers/githttp"
  func buildGitHTTPHandlers(
  	cfg config.Config,
  	pool *pgxpool.Pool,
++	runnerJWT *runnerjwt.Signer,
  	logger *slog.Logger,
  ) (*githttph.Handlers, error) {
  	if cfg.Storage.ReposRoot == "" {
  		return nil, fmt.Errorf("git-http: NewRepoFS: %w", err)
  	}
  	return githttph.New(githttph.Deps{
--		Logger: logger,
++		Logger:    logger,
--		Pool:   pool,
++		Pool:      pool,
--		RepoFS: rfs,
++		RepoFS:    rfs,
++		RunnerJWT: runnerJWT,
  	})
  }

internal/web/handlers/api/runners.gomodified

  	"fmt"
  	"io"
  	"net/http"
++	"net/url"
  	"regexp"
  	"sort"
  	"strconv"
  		JobID:    job.ID,
  		RunID:    job.RunID,
  		RepoID:   job.RepoID,
++		Purpose:  runnerjwt.PurposeAPI,
  	})
  	if err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "runner jwt mint failed", "runner_id", runner.ID, "job_id", job.ID, "error", err)
  		writeAPIError(w, http.StatusInternalServerError, "runner token mint failed")
  		return
  	}
++	checkoutToken, _, err := h.d.RunnerJWT.Mint(runnerjwt.MintParams{
++		RunnerID: runner.ID,
++		JobID:    job.ID,
++		RunID:    job.RunID,
++		RepoID:   job.RepoID,
++		Purpose:  runnerjwt.PurposeCheckout,
++	})
++	if err != nil {
++		h.d.Logger.ErrorContext(r.Context(), "runner checkout token mint failed", "runner_id", runner.ID, "job_id", job.ID, "error", err)
++		writeAPIError(w, http.StatusInternalServerError, "runner checkout token mint failed")
++		return
++	}
  	metrics.ActionsRunnerHeartbeatsTotal.WithLabelValues("claimed").Inc()
--	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Inc()
++	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Add(2)
--	writeJSON(w, http.StatusOK, presentRunnerClaim(job, steps, resolvedSecrets, token, time.Unix(claims.Exp, 0)))
++	writeJSON(w, http.StatusOK, h.presentRunnerClaim(job, steps, resolvedSecrets, token, checkoutToken, time.Unix(claims.Exp, 0)))
  }
  func (h *Handlers) authenticateRunner(w http.ResponseWriter, r *http.Request) (actionsdb.GetRunnerByTokenHashRow, bool) {
  		writeAPIError(w, http.StatusUnauthorized, "job token invalid")
  		return runnerJobAuth{}, false
  	}
++	if claims.Purpose != "" && claims.Purpose != runnerjwt.PurposeAPI {
++		metrics.ActionsRunnerJWTTotal.WithLabelValues("rejected").Inc()
++		writeAPIError(w, http.StatusUnauthorized, "job token invalid")
++		return runnerJobAuth{}, false
++	}
  	if claims.JobID != pathJobID {
  		writeAPIError(w, http.StatusNotFound, "job not found")
  		return runnerJobAuth{}, false
  		JobID:    auth.Claims.JobID,
  		RunID:    auth.Claims.RunID,
  		RepoID:   auth.Claims.RepoID,
++		Purpose:  runnerjwt.PurposeAPI,
  	})
  	if err != nil {
  		h.d.Logger.ErrorContext(r.Context(), "runner next-token mint failed", "job_id", auth.Claims.JobID, "error", err)
  	RunIndex       int64             `json:"run_index"`
  	WorkflowFile   string            `json:"workflow_file"`
  	WorkflowName   string            `json:"workflow_name"`
++	CheckoutURL    string            `json:"checkout_url"`
++	CheckoutToken  string            `json:"checkout_token"`
  	HeadSHA        string            `json:"head_sha"`
  	HeadRef        string            `json:"head_ref"`
  	Event          string            `json:"event"`
  	ContinueOnError  bool            `json:"continue_on_error"`
  }
--func presentRunnerClaim(
++func (h *Handlers) presentRunnerClaim(
  	job actionsdb.ClaimQueuedWorkflowJobRow,
  	steps []actionsdb.ListRunnerStepsForJobRow,
  	resolvedSecrets map[string]string,
  	token string,
++	checkoutToken string,
  	expiresAt time.Time,
  ) runnerClaimResponse {
  	outSteps := make([]runnerStep, 0, len(steps))
  			RunIndex:       job.RunIndex,
  			WorkflowFile:   job.WorkflowFile,
  			WorkflowName:   job.WorkflowName,
++			CheckoutURL:    h.checkoutURL(job.RepoOwner, job.RepoName),
++			CheckoutToken:  checkoutToken,
  			HeadSHA:        job.HeadSha,
  			HeadRef:        job.HeadRef,
  			Event:          string(job.Event),
  	}
  }
++func (h *Handlers) checkoutURL(owner, repoName string) string {
++	base := strings.TrimRight(strings.TrimSpace(h.d.BaseURL), "/")
++	if base == "" {
++		return ""
++	}
++	return base + "/" + url.PathEscape(owner) + "/" + url.PathEscape(repoName) + ".git"
++}
++
  func rawJSONOrObject(b []byte) json.RawMessage {
  	if len(b) == 0 || !json.Valid(b) {
  		return json.RawMessage(`{}`)

internal/web/handlers/api/runners_test.gomodified

  	var resp struct {
  		Token string `json:"token"`
  		Job   struct {
--			ID           int64          `json:"id"`
++			ID            int64          `json:"id"`
--			RunID        int64          `json:"run_id"`
++			RunID         int64          `json:"run_id"`
--			RepoID       int64          `json:"repo_id"`
++			RepoID        int64          `json:"repo_id"`
--			EventPayload map[string]any `json:"event_payload"`
++			CheckoutURL   string         `json:"checkout_url"`
--			Steps        []struct {
++			CheckoutToken string         `json:"checkout_token"`
++			EventPayload  map[string]any `json:"event_payload"`
++			Steps         []struct {
  				Run  string `json:"run"`
  				Uses string `json:"uses"`
  			} `json:"steps"`
  	if resp.Job.RunID != runID || resp.Job.RepoID != repoID || len(resp.Job.Steps) != 2 {
  		t.Fatalf("unexpected job payload: %+v", resp.Job)
+ 	}
++	if resp.Job.CheckoutURL != "https://shithub.test/alice/demo.git" || resp.Job.CheckoutToken == "" {
++		t.Fatalf("checkout payload: url=%q token_empty=%t", resp.Job.CheckoutURL, resp.Job.CheckoutToken == "")
++	}
  	if resp.Job.EventPayload["ref"] != "refs/heads/trunk" {
  		t.Fatalf("event payload not returned to runner: %#v", resp.Job.EventPayload)
+ 	}
  	if claimRunnerID != runnerID {
  		t.Fatalf("claims runner_id: got %d, want %d", claimRunnerID, runnerID)
+ 	}
++	if claims.Purpose != runnerjwt.PurposeAPI {
++		t.Fatalf("api token purpose: got %q", claims.Purpose)
++	}
++	checkoutClaims, err := signer.Verify(resp.Job.CheckoutToken)
++	if err != nil {
++		t.Fatalf("verify checkout token: %v", err)
++	}
++	if checkoutClaims.JobID != resp.Job.ID || checkoutClaims.RunID != runID || checkoutClaims.RepoID != repoID ||
++		checkoutClaims.Purpose != runnerjwt.PurposeCheckout {
++		t.Fatalf("checkout claims/job mismatch: claims=%+v job=%+v", checkoutClaims, resp.Job)
++	}
  	var logResp struct {
  		Accepted  bool   `json:"accepted"`
  	h, err := apih.New(apih.Deps{
  		Pool:        pool,
  		Logger:      logger,
++		BaseURL:     "https://shithub.test",
  		RunnerJWT:   signer,
  		ObjectStore: store,
  	})
  	h, err := apih.New(apih.Deps{
  		Pool:      pool,
  		Logger:    logger,
++		BaseURL:   "https://shithub.test",
  		RunnerJWT: signer,
  		RepoFS:    rfs,
  	})
  	h, err := apih.New(apih.Deps{
  		Pool:      pool,
  		Logger:    logger,
++		BaseURL:   "https://shithub.test",
  		RunnerJWT: signer,
  		SecretBox: box,
  	})

internal/web/handlers/githttp/auth.gomodified

  	"strings"
  	"time"
++	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/auth/password"
  	"github.com/tenseleyFlow/shithub/internal/auth/pat"
++	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
+ )
  // resolvedAuth carries the resolved identity for a git-over-HTTPS
  // callers decide whether anonymous is allowed (yes for pulling a public
  // repo, no for everything else).
  type resolvedAuth struct {
--	Anonymous bool
++	Anonymous          bool
--	UserID    int64
++	UserID             int64
--	Username  string
++	Username           string
--	ViaPAT    bool
++	ViaPAT             bool
++	ViaRunnerCheckout  bool
++	RunnerCheckoutRepo int64
+ }
  // errBadCredentials is the catch-all for "creds were sent but didn't
  		return resolvedAuth{}, errBadCredentials
+ 	}
++	if got, err := h.resolveViaRunnerCheckout(ctx, secret); err == nil {
++		return got, nil
++	}
  	if strings.HasPrefix(secret, pat.Prefix) {
  		if got, err := h.resolveViaPAT(ctx, secret); err == nil {
  			return got, nil
  	return h.resolveViaPassword(ctx, user, secret)
+ }
++func (h *Handlers) resolveViaRunnerCheckout(ctx context.Context, raw string) (resolvedAuth, error) {
++	if h.d.RunnerJWT == nil || raw == "" {
++		return resolvedAuth{}, errBadCredentials
++	}
++	claims, err := h.d.RunnerJWT.Verify(raw)
++	if err != nil || claims.Purpose != runnerjwt.PurposeCheckout {
++		return resolvedAuth{}, errBadCredentials
++	}
++	runnerID, err := claims.RunnerID()
++	if err != nil {
++		return resolvedAuth{}, errBadCredentials
++	}
++	job, err := h.aq.GetWorkflowJobByID(ctx, h.d.Pool, claims.JobID)
++	if err != nil {
++		return resolvedAuth{}, errBadCredentials
++	}
++	run, err := h.aq.GetWorkflowRunByID(ctx, h.d.Pool, job.RunID)
++	if err != nil {
++		return resolvedAuth{}, errBadCredentials
++	}
++	if job.RunID != claims.RunID ||
++		run.RepoID != claims.RepoID ||
++		job.Status != actionsdb.WorkflowJobStatusRunning ||
++		!job.RunnerID.Valid ||
++		job.RunnerID.Int64 != runnerID {
++		return resolvedAuth{}, errBadCredentials
++	}
++	return resolvedAuth{
++		Username:           "shithub-actions",
++		ViaRunnerCheckout:  true,
++		RunnerCheckoutRepo: claims.RepoID,
++	}, nil
++}
++
  // resolveViaPAT looks up the token by its sha256 hash, checks
  // revoked/expired/suspended, and returns the owning user. Returns
  // errBadCredentials on any failure (no leak about which check failed).

internal/web/handlers/githttp/githttp.gomodified

  	"github.com/jackc/pgx/v5/pgxpool"
++	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
++	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  // Deps wires the git-HTTP handler set.
  type Deps struct {
--	Logger *slog.Logger
++	Logger    *slog.Logger
--	Pool   *pgxpool.Pool
++	Pool      *pgxpool.Pool
--	RepoFS *storage.RepoFS
++	RepoFS    *storage.RepoFS
++	RunnerJWT *runnerjwt.Signer
  	// MaxPushBytes is the hard cap on the git-receive-pack request body.
  	// Defaults to 2 GiB when zero.
  	MaxPushBytes int64
  // Handlers is the registered handler set. Construct via New.
  type Handlers struct {
  	d  Deps
++	aq *actionsdb.Queries
  	uq *usersdb.Queries
  	rq *reposdb.Queries
  	oq *orgsdb.Queries
  	if d.MaxPushBytes == 0 {
  		d.MaxPushBytes = DefaultMaxPushBytes
  	}
--	return &Handlers{d: d, uq: usersdb.New(), rq: reposdb.New(), oq: orgsdb.New()}, nil
++	return &Handlers{d: d, aq: actionsdb.New(), uq: usersdb.New(), rq: reposdb.New(), oq: orgsdb.New()}, nil
  }

internal/web/handlers/githttp/githttp_test.gomodified

  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/jackc/pgx/v5/pgxpool"
++	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/pat"
++	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
  	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  // private repo, mounts the smart-HTTP handlers on a httptest server,
  // and returns everything callers need.
  type env struct {
--	srv      *httptest.Server
++	srv        *httptest.Server
--	pool     *pgxpool.Pool
++	pool       *pgxpool.Pool
--	userID   int64
++	userID     int64
--	user     string
++	user       string
--	pwd      string
++	pwd        string
--	patRaw   string
++	patRaw     string
--	pubRepo  string
++	pubRepo    string
--	privRepo string
++	pubRepoID  int64
--	root     string
++	privRepo   string
++	privRepoID int64
++	root       string
++	runnerJWT  *runnerjwt.Signer
+ }
  func setupEnv(t *testing.T) *env {
  		Pool: pool, RepoFS: rfs, Audit: audit.NewRecorder(), Limiter: throttle.NewLimiter(),
  		Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
+ 	}
--	if _, err := repos.Create(context.Background(), rdeps, repos.Params{
++	publicRes, err := repos.Create(context.Background(), rdeps, repos.Params{
  		OwnerUserID: user.ID, OwnerUsername: user.Username,
  		Name: "public-repo", Visibility: "public", InitReadme: true,
--	}); err != nil {
++	})
++	if err != nil {
  		t.Fatalf("create public: %v", err)
+ 	}
--	if _, err := repos.Create(context.Background(), rdeps, repos.Params{
++	privateRes, err := repos.Create(context.Background(), rdeps, repos.Params{
  		OwnerUserID: user.ID, OwnerUsername: user.Username,
  		Name: "private-repo", Visibility: "private", InitReadme: true,
--	}); err != nil {
++	})
++	if err != nil {
  		t.Fatalf("create private: %v", err)
+ 	}
  		t.Fatalf("create PAT row: %v", err)
+ 	}
++	runnerJWT := runnerHTTPSigner(t)
  	h, err := githttph.New(githttph.Deps{
  		Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
--		Pool:   pool, RepoFS: rfs,
++		Pool:   pool, RepoFS: rfs, RunnerJWT: runnerJWT,
  	})
  	if err != nil {
  		t.Fatalf("New: %v", err)
  	return &env{
  		srv: srv, pool: pool, userID: user.ID,
  		user: "alice", pwd: "wrong-not-real-password", patRaw: raw,
--		pubRepo: "public-repo", privRepo: "private-repo", root: root,
++		pubRepo: "public-repo", pubRepoID: publicRes.Repo.ID,
++		privRepo: "private-repo", privRepoID: privateRes.Repo.ID,
++		root: root, runnerJWT: runnerJWT,
+ 	}
+ }
+ 	}
+ }
++func TestGitHTTP_RunnerCheckoutTokenClonesPrivateRepoReadOnly(t *testing.T) {
++	t.Parallel()
++	env := setupEnv(t)
++	token := env.runnerCheckoutToken(t, env.privRepoID)
++
++	dst := filepath.Join(t.TempDir(), "clone")
++	cloneURL := authedURL(env.srv.URL, "shithub-actions", token, "/alice/private-repo.git")
++	out, err := gitCmd("clone", cloneURL, dst).CombinedOutput()
++	if err != nil {
++		t.Fatalf("clone with checkout token: %v\n%s", err, out)
++	}
++	out, err = gitCmd("-C", dst, "rev-list", "--count", "HEAD").CombinedOutput()
++	if err != nil {
++		t.Fatalf("rev-list: %v\n%s", err, out)
++	}
++	if got := strings.TrimSpace(string(out)); got != "1" {
++		t.Fatalf("rev-list = %q, want 1", got)
++	}
++
++	for _, c := range [][]string{
++		{"-C", dst, "config", "user.name", "Runner"},
++		{"-C", dst, "config", "user.email", "runner@example.test"},
++	} {
++		if out, err := gitCmd(c...).CombinedOutput(); err != nil {
++			t.Fatalf("config: %v\n%s", err, out)
++		}
++	}
++	if err := writeFile(filepath.Join(dst, "blocked.txt"), "x\n"); err != nil {
++		t.Fatalf("write: %v", err)
++	}
++	for _, c := range [][]string{
++		{"-C", dst, "add", "blocked.txt"},
++		{"-C", dst, "commit", "-m", "blocked"},
++	} {
++		if out, err := gitCmd(c...).CombinedOutput(); err != nil {
++			t.Fatalf("git %v: %v\n%s", c, err, out)
++		}
++	}
++	out, err = gitCmd("-C", dst, "push", "origin", "trunk").CombinedOutput()
++	if err == nil {
++		t.Fatalf("checkout token push unexpectedly succeeded: %s", out)
++	}
++	if !strings.Contains(string(out), "read-only") {
++		t.Fatalf("expected read-only checkout-token message, got: %s", out)
++	}
++}
++
++func TestGitHTTP_RunnerCheckoutTokenCannotReadOtherRepo(t *testing.T) {
++	t.Parallel()
++	env := setupEnv(t)
++	token := env.runnerCheckoutToken(t, env.pubRepoID)
++	dst := filepath.Join(t.TempDir(), "clone")
++	cmd := gitCmd("clone", authedURL(env.srv.URL, "shithub-actions", token, "/alice/private-repo.git"), dst)
++	cmd.Env = append(cmd.Environ(), "GIT_TERMINAL_PROMPT=0", "GIT_ASKPASS=/bin/false")
++	out, err := cmd.CombinedOutput()
++	if err == nil {
++		t.Fatalf("expected checkout token for public repo to fail against private repo; output: %s", out)
++	}
++}
++
  func TestGitHTTP_PATPushRoundtrip(t *testing.T) {
  	t.Parallel()
  	env := setupEnv(t)
  	return os.WriteFile(path, []byte(body), 0o600)
+ }
++func (e *env) runnerCheckoutToken(t *testing.T, repoID int64) string {
++	t.Helper()
++	ctx := context.Background()
++	q := actionsdb.New()
++	runner, err := q.InsertRunner(ctx, e.pool, actionsdb.InsertRunnerParams{
++		Name:     "runner-" + e.privRepo,
++		Labels:   []string{"ubuntu-latest"},
++		Capacity: 1,
++	})
++	if err != nil {
++		t.Fatalf("InsertRunner: %v", err)
++	}
++	run, err := q.InsertWorkflowRun(ctx, e.pool, actionsdb.InsertWorkflowRunParams{
++		RepoID:       repoID,
++		RunIndex:     1,
++		WorkflowFile: ".shithub/workflows/ci.yml",
++		WorkflowName: "CI",
++		HeadSha:      strings.Repeat("a", 40),
++		HeadRef:      "refs/heads/trunk",
++		Event:        actionsdb.WorkflowRunEventPush,
++		EventPayload: []byte(`{}`),
++		ActorUserID:  pgtype.Int8{Int64: e.userID, Valid: true},
++	})
++	if err != nil {
++		t.Fatalf("InsertWorkflowRun: %v", err)
++	}
++	job, err := q.InsertWorkflowJob(ctx, e.pool, actionsdb.InsertWorkflowJobParams{
++		RunID:          run.ID,
++		JobIndex:       0,
++		JobKey:         "checkout",
++		JobName:        "checkout",
++		RunsOn:         "ubuntu-latest",
++		NeedsJobs:      []string{},
++		TimeoutMinutes: 30,
++		Permissions:    []byte(`{}`),
++		JobEnv:         []byte(`{}`),
++	})
++	if err != nil {
++		t.Fatalf("InsertWorkflowJob: %v", err)
++	}
++	if _, err := e.pool.Exec(ctx, `UPDATE workflow_jobs SET runner_id = $1, status = 'running', started_at = now() WHERE id = $2`, runner.ID, job.ID); err != nil {
++		t.Fatalf("mark job running: %v", err)
++	}
++	token, _, err := e.runnerJWT.Mint(runnerjwt.MintParams{
++		RunnerID: runner.ID,
++		JobID:    job.ID,
++		RunID:    run.ID,
++		RepoID:   repoID,
++		Purpose:  runnerjwt.PurposeCheckout,
++	})
++	if err != nil {
++		t.Fatalf("Mint checkout token: %v", err)
++	}
++	return token
++}
++
++func runnerHTTPSigner(t *testing.T) *runnerjwt.Signer {
++	t.Helper()
++	signer, err := runnerjwt.NewFromKey(
++		bytesOf(0x88, 32),
++		runnerjwt.WithClock(func() time.Time { return time.Now().UTC() }),
++	)
++	if err != nil {
++		t.Fatalf("runnerjwt.NewFromKey: %v", err)
++	}
++	return signer
++}
++
++func bytesOf(b byte, n int) []byte {
++	out := make([]byte, n)
++	for i := range out {
++		out[i] = b
++	}
++	return out
++}
++
  // TestGitHTTP_AnonCloneOrgOwnedPublic is a regression for an outage
  // on 2026-05-09: pushing to https://shithub.sh/tenseleyflow/shithub.git
  // returned 404 because authorizeForService only resolved owner-slugs

internal/web/handlers/githttp/handler.gomodified

  		writeChallenge(w)
  		return reposdb.Repo{}, false
+ 	}
++	if auth.ViaRunnerCheckout {
++		if svc != protocol.UploadPack {
++			writeGitErrorMessage(w, http.StatusForbidden,
++				"shithub Actions checkout credentials are read-only")
++			return reposdb.Repo{}, false
++		}
++		if auth.RunnerCheckoutRepo != row.ID {
++			http.Error(w, "not found", http.StatusNotFound)
++			return reposdb.Repo{}, false
++		}
++		return row, true
++	}
  	// Build the policy actor and ask Can(). Owner identity, collab role,
  	// archived/deleted gates all live in the policy package now.

internal/web/server.gomodified


 			})
 		}
 
+		gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, runnerJWT, logger)
 		if err != nil {
 			return fmt.Errorf("git-http handlers: %w", err)
 		}

`@@ -338,7 +338,7 @@` func Run(ctx context.Context, opts Options) error {
338	})	338	})
339	}	339	}
340		340
341	- gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, logger)	341	+ gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, runnerJWT, logger)
342	if err != nil {	342	if err != nil {
343	return fmt.Errorf("git-http handlers: %w", err)	343	return fmt.Errorf("git-http handlers: %w", err)
344	}	344	}

tenseleyflow/shithub / `33b66c6`

17 changed files