`34b84f5`

repo/actions: add approvals and policy settings UI (S41j-3)

Authored by mfwolffe <wolffemf@dukes.jmu.edu> yesterday

SHA: 34b84f539804d5bc8494dfed7ff2145de7d22277
Parents: a325a33
Tree: cf64695

15 changed files

Status	File	+	-
A	`internal/actions/lifecycle/approval.go`	134	0
A	`internal/actions/lifecycle/approval_test.go`	56	0
M	`internal/auth/audit/audit.go`	3	0
M	`internal/web/handlers/repo/actions.go`	87	61
A	`internal/web/handlers/repo/actions_approval.go`	88	0
M	`internal/web/handlers/repo/actions_cancel.go`	8	1
M	`internal/web/handlers/repo/actions_test.go`	142	16
M	`internal/web/handlers/repo/repo.go`	2	0
M	`internal/web/handlers/repo/repo_test.go`	2	1
M	`internal/web/handlers/repo/settings_actions.go`	201	0
M	`internal/web/handlers/repo/settings_actions_test.go`	40	0
M	`internal/web/static/css/shithub.css`	19	0
M	`internal/web/templates/_repo_settings_nav.html`	3	0
M	`internal/web/templates/repo/action_run.html`	22	0
A	`internal/web/templates/repo/settings_actions.html`	64	0

internal/actions/lifecycle/approval.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package lifecycle
++
 +import (
 +	"context"
 +	"errors"
++
 +	"github.com/jackc/pgx/v5"
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	"github.com/tenseleyFlow/shithub/internal/actions/checksync"
 +	actionsevents "github.com/tenseleyFlow/shithub/internal/actions/events"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
 +)
++
 +var (
 +	ErrApprovalActorRequired = errors.New("actions lifecycle: approval actor required")
 +	ErrRunNotApprovalPending = errors.New("actions lifecycle: run is not pending approval")
 +)
++
 +type ApprovalResult struct {
 +	Run         actionsdb.WorkflowRun
 +	ChangedJobs []actionsdb.WorkflowJob
 +}
++
 +// ApproveRun records a maintainer approval. The existing queued jobs remain
 +// queued; the runner claim query re-evaluates dispatch naturally, so approval
 +// never duplicates workflow_runs or workflow_jobs.
 +func ApproveRun(ctx context.Context, deps Deps, runID, actorUserID int64) (ApprovalResult, error) {
 +	if actorUserID == 0 {
 +		return ApprovalResult{}, ErrApprovalActorRequired
 +	}
 +	q := actionsdb.New()
 +	run, err := q.ApproveWorkflowRun(ctx, deps.Pool, actionsdb.ApproveWorkflowRunParams{
 +		ID: runID,
 +		ApprovedByUserID: pgtype.Int8{
 +			Int64: actorUserID,
 +			Valid: true,
 +		},
 +	})
 +	if err != nil {
 +		if errors.Is(err, pgx.ErrNoRows) {
 +			return ApprovalResult{}, ErrRunNotApprovalPending
 +		}
 +		return ApprovalResult{}, err
 +	}
 +	return ApprovalResult{Run: workflowRunFromApprovalRow(run)}, nil
 +}
++
 +func workflowRunFromApprovalRow(row actionsdb.ApproveWorkflowRunRow) actionsdb.WorkflowRun {
 +	return actionsdb.WorkflowRun{
 +		ID:               row.ID,
 +		RepoID:           row.RepoID,
 +		RunIndex:         row.RunIndex,
 +		WorkflowFile:     row.WorkflowFile,
 +		WorkflowName:     row.WorkflowName,
 +		HeadSha:          row.HeadSha,
 +		HeadRef:          row.HeadRef,
 +		Event:            row.Event,
 +		EventPayload:     row.EventPayload,
 +		ActorUserID:      row.ActorUserID,
 +		ParentRunID:      row.ParentRunID,
 +		ConcurrencyGroup: row.ConcurrencyGroup,
 +		Status:           row.Status,
 +		Conclusion:       row.Conclusion,
 +		Pinned:           row.Pinned,
 +		NeedApproval:     row.NeedApproval,
 +		ApprovedByUserID: row.ApprovedByUserID,
 +		StartedAt:        row.StartedAt,
 +		CompletedAt:      row.CompletedAt,
 +		Version:          row.Version,
 +		CreatedAt:        row.CreatedAt,
 +		UpdatedAt:        row.UpdatedAt,
 +		TriggerEventID:   row.TriggerEventID,
 +	}
 +}
++
 +// RejectRun turns a pending-approval run into a completed/action_required run
 +// and mirrors every queued job to its check_run. It only acts on runs that are
 +// still pending approval, so an approve/reject race resolves cleanly.
 +func RejectRun(ctx context.Context, deps Deps, runID, actorUserID int64) (ApprovalResult, error) {
 +	if actorUserID == 0 {
 +		return ApprovalResult{}, ErrApprovalActorRequired
 +	}
 +	q := actionsdb.New()
 +	tx, err := deps.Pool.Begin(ctx)
 +	if err != nil {
 +		return ApprovalResult{}, err
 +	}
 +	committed := false
 +	defer func() {
 +		if !committed {
 +			_ = tx.Rollback(ctx)
 +		}
 +	}()
 +	if _, err := q.RejectWorkflowRunApproval(ctx, tx, actionsdb.RejectWorkflowRunApprovalParams{
 +		RunID: runID,
 +		RejectedByUserID: pgtype.Int8{
 +			Int64: actorUserID,
 +			Valid: true,
 +		},
 +	}); err != nil {
 +		if errors.Is(err, pgx.ErrNoRows) {
 +			return ApprovalResult{}, ErrRunNotApprovalPending
 +		}
 +		return ApprovalResult{}, err
 +	}
 +	jobs, err := q.MarkWorkflowJobsRejected(ctx, tx, runID)
 +	if err != nil {
 +		return ApprovalResult{}, err
 +	}
 +	run, err := q.MarkWorkflowRunRejected(ctx, tx, runID)
 +	if err != nil {
 +		if errors.Is(err, pgx.ErrNoRows) {
 +			return ApprovalResult{}, ErrRunNotApprovalPending
 +		}
 +		return ApprovalResult{}, err
 +	}
 +	for _, job := range jobs {
 +		if err := actionsevents.EmitJobTx(ctx, tx, run, job, actionsevents.ActionCancelled); err != nil {
 +			return ApprovalResult{}, err
 +		}
 +	}
 +	if err := actionsevents.EmitRunTx(ctx, tx, run, actionsevents.ActionCompleted); err != nil {
 +		return ApprovalResult{}, err
 +	}
 +	if err := tx.Commit(ctx); err != nil {
 +		return ApprovalResult{}, err
 +	}
 +	committed = true
 +	checksync.ChangedJobs(ctx, checksync.Deps{Pool: deps.Pool, Logger: deps.Logger}, jobs)
 +	return ApprovalResult{Run: run, ChangedJobs: jobs}, nil
 +}

internal/actions/lifecycle/approval_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package lifecycle
++
 +import (
 +	"context"
 +	"errors"
 +	"testing"
++
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
 +	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"
 +)
++
 +func TestApproveRunDoesNotRecordApprovalForNonQueuedRun(t *testing.T) {
 +	ctx := context.Background()
 +	pool := dbtest.NewTestDB(t)
 +	repoID, userID := setupLifecycleRepo(t, pool)
 +	q := actionsdb.New()
 +	run := insertLifecycleRun(t, pool, repoID, userID, 1)
 +	if _, err := pool.Exec(ctx, `
 +		UPDATE workflow_runs
 +		SET need_approval = true,
 +		    status = 'completed',
 +		    conclusion = 'success',
 +		    completed_at = now()
 +		WHERE id = $1`,
 +		run.ID,
 +	); err != nil {
 +		t.Fatalf("mark run completed: %v", err)
 +	}
 +	if _, err := q.InsertWorkflowRunApproval(ctx, pool, actionsdb.InsertWorkflowRunApprovalParams{
 +		RunID:           run.ID,
 +		RequestedReason: "approval required",
 +	}); err != nil {
 +		t.Fatalf("InsertWorkflowRunApproval: %v", err)
 +	}
++
 +	_, err := ApproveRun(ctx, Deps{Pool: pool}, run.ID, userID)
 +	if !errors.Is(err, ErrRunNotApprovalPending) {
 +		t.Fatalf("ApproveRun error = %v, want ErrRunNotApprovalPending", err)
 +	}
 +	approval, err := q.GetWorkflowRunApproval(ctx, pool, run.ID)
 +	if err != nil {
 +		t.Fatalf("GetWorkflowRunApproval: %v", err)
 +	}
 +	if approval.ApprovedByUserID.Valid || approval.ApprovedAt.Valid {
 +		t.Fatalf("approval row changed for non-queued run: %+v", approval)
 +	}
 +	gotRun, err := q.GetWorkflowRunByID(ctx, pool, run.ID)
 +	if err != nil {
 +		t.Fatalf("GetWorkflowRunByID: %v", err)
 +	}
 +	if gotRun.ApprovedByUserID.Valid {
 +		t.Fatalf("run was approved despite terminal state: %+v", gotRun)
 +	}
 +}

internal/auth/audit/audit.gomodified

  	ActionActionsSecretDeleted   Action = "actions_secret_deleted"
  	ActionActionsVariableSet     Action = "actions_variable_set"
  	ActionActionsVariableDeleted Action = "actions_variable_deleted"
 +	ActionActionsPolicyUpdated   Action = "actions_policy_updated"
  	// S41h — Actions run/job lifecycle. Metadata must stay structural:
  	// run/job ids, status, conclusion, workflow path/name. Never include
  	ActionWorkflowJobStarted   Action = "workflow_job_started"
  	ActionWorkflowJobCompleted Action = "workflow_job_completed"
  	ActionWorkflowJobCancelled Action = "workflow_job_cancelled"
 +	ActionWorkflowRunApproved  Action = "workflow_run_approved"
 +	ActionWorkflowRunRejected  Action = "workflow_run_rejected"
  	// S34 — site admin actions. Always recorded with the real admin's
  	// id in actor_id; impersonation flows additionally carry the

internal/web/handlers/repo/actions.gomodified

+ }
  type actionsRunDetailView struct {
 -	ID             int64
 -	RunIndex       int64
 -	WorkflowFile   string
 -	WorkflowName   string
 -	Title          string
 -	HeadSha        string
 -	HeadShaShort   string
 -	HeadRef        string
 -	Event          string
 -	EventLabel     string
 -	ActorUsername  string
 -	StateText      string
 -	StateClass     string
 -	StateIcon      string
 -	CreatedAt      time.Time
 -	UpdatedAt      time.Time
 -	Duration       string
 -	IsTerminal     bool
 -	StatusHref     string
 -	CancelHref     string
 -	CanCancel      bool
 -	RerunHref      string
 -	CanRerun       bool
 -	ParentRunIndex int64
 -	ParentRunHref  string
 -	ActionsHref    string
 -	CodeHref       string
 -	ArtifactCount  int
 -	JobCount       int
 -	CompletedCount int
 -	FailureCount   int
 -	Jobs           []actionsJobDetailView
 -	Stages         []actionsJobStageView
 +	ID               int64
 +	RunIndex         int64
 +	WorkflowFile     string
 +	WorkflowName     string
 +	Title            string
 +	HeadSha          string
 +	HeadShaShort     string
 +	HeadRef          string
 +	Event            string
 +	EventLabel       string
 +	ActorUsername    string
 +	StateText        string
 +	StateClass       string
 +	StateIcon        string
 +	CreatedAt        time.Time
 +	UpdatedAt        time.Time
 +	Duration         string
 +	IsTerminal       bool
 +	NeedApproval     bool
 +	ApprovalPending  bool
 +	ApprovalRejected bool
 +	ApprovalReason   string
 +	ApproveHref      string
 +	RejectHref       string
 +	CanApprove       bool
 +	StatusHref       string
 +	CancelHref       string
 +	CanCancel        bool
 +	RerunHref        string
 +	CanRerun         bool
 +	ParentRunIndex   int64
 +	ParentRunHref    string
 +	ActionsHref      string
 +	CodeHref         string
 +	ArtifactCount    int
 +	JobCount         int
 +	CompletedCount   int
 +	FailureCount     int
 +	Jobs             []actionsJobDetailView
 +	Stages           []actionsJobStageView
+ }
  type actionsJobDetailView struct {
  	runPath := basePath + "/runs/" + strconv.FormatInt(run.RunIndex, 10)
  	now := time.Now()
  	stateText, stateClass, stateIcon := workflowRunState(run.Status, run.Conclusion)
 +	approvalPending := run.NeedApproval && !run.ApprovedByUserID.Valid && run.Status == actionsdb.WorkflowRunStatusQueued
 +	if approvalPending {
 +		stateText, stateClass, stateIcon = "Approval required", "pending", "clock"
 +	}
  	updatedAt := pgTime(run.UpdatedAt, run.CreatedAt.Time)
  	view := actionsRunDetailView{
 -		ID:             run.ID,
 -		RunIndex:       run.RunIndex,
 -		WorkflowFile:   run.WorkflowFile,
 -		WorkflowName:   run.WorkflowName,
 -		Title:          workflowDisplayName(run.WorkflowName, run.WorkflowFile),
 -		HeadSha:        run.HeadSha,
 -		HeadShaShort:   shortSHA(run.HeadSha),
 -		HeadRef:        run.HeadRef,
 -		Event:          string(run.Event),
 -		EventLabel:     workflowRunEventLabel(string(run.Event)),
 -		ActorUsername:  run.ActorUsername,
 -		StateText:      stateText,
 -		StateClass:     stateClass,
 -		StateIcon:      stateIcon,
 -		CreatedAt:      run.CreatedAt.Time,
 -		UpdatedAt:      updatedAt,
 -		Duration:       workflowRunDuration(run.Status, run.StartedAt, run.CompletedAt, run.CreatedAt, updatedAt, now),
 -		IsTerminal:     workflowRunTerminal(run.Status),
 -		StatusHref:     runPath + "/status",
 -		CancelHref:     runPath + "/cancel",
 -		RerunHref:      runPath + "/rerun",
 -		ActionsHref:    basePath,
 -		CodeHref:       "/" + owner + "/" + repoName + "/tree/" + codeTarget(run.HeadRef, run.HeadSha),
 -		ArtifactCount:  len(artifacts),
 -		JobCount:       len(jobs),
 -		CompletedCount: 0,
 -		FailureCount:   0,
 -		Jobs:           make([]actionsJobDetailView, 0, len(jobs)),
 +		ID:              run.ID,
 +		RunIndex:        run.RunIndex,
 +		WorkflowFile:    run.WorkflowFile,
 +		WorkflowName:    run.WorkflowName,
 +		Title:           workflowDisplayName(run.WorkflowName, run.WorkflowFile),
 +		HeadSha:         run.HeadSha,
 +		HeadShaShort:    shortSHA(run.HeadSha),
 +		HeadRef:         run.HeadRef,
 +		Event:           string(run.Event),
 +		EventLabel:      workflowRunEventLabel(string(run.Event)),
 +		ActorUsername:   run.ActorUsername,
 +		StateText:       stateText,
 +		StateClass:      stateClass,
 +		StateIcon:       stateIcon,
 +		CreatedAt:       run.CreatedAt.Time,
 +		UpdatedAt:       updatedAt,
 +		Duration:        workflowRunDuration(run.Status, run.StartedAt, run.CompletedAt, run.CreatedAt, updatedAt, now),
 +		IsTerminal:      workflowRunTerminal(run.Status),
 +		NeedApproval:    run.NeedApproval,
 +		ApprovalPending: approvalPending,
 +		StatusHref:      runPath + "/status",
 +		ApproveHref:     runPath + "/approve",
 +		RejectHref:      runPath + "/reject",
 +		CancelHref:      runPath + "/cancel",
 +		RerunHref:       runPath + "/rerun",
 +		ActionsHref:     basePath,
 +		CodeHref:        "/" + owner + "/" + repoName + "/tree/" + codeTarget(run.HeadRef, run.HeadSha),
 +		ArtifactCount:   len(artifacts),
 +		JobCount:        len(jobs),
 +		CompletedCount:  0,
 +		FailureCount:    0,
 +		Jobs:            make([]actionsJobDetailView, 0, len(jobs)),
+ 	}
  	if run.ParentRunID.Valid {
  		parent, err := q.GetWorkflowRunByID(ctx, h.d.Pool, run.ParentRunID.Int64)
  			view.ParentRunHref = basePath + "/runs/" + strconv.FormatInt(parent.RunIndex, 10)
+ 		}
+ 	}
 +	if run.NeedApproval {
 +		if approval, err := q.GetWorkflowRunApproval(ctx, h.d.Pool, run.ID); err == nil {
 +			view.ApprovalReason = approval.RequestedReason
 +			view.ApprovalRejected = approval.RejectedAt.Valid
 +		} else if !errors.Is(err, pgx.ErrNoRows) {
 +			return actionsRunDetailView{}, err
 +		}
 +	}
  	for _, job := range jobs {
  		steps, err := q.ListStepsForJob(ctx, h.d.Pool, job.ID)
  		if err != nil {
  			return actionsRunDetailView{}, err
+ 		}
  		jobView := actionsJobDetailViewFromRow(job, owner, repoName, run.RunIndex, now)
 +		if approvalPending && job.Status == actionsdb.WorkflowJobStatusQueued {
 +			jobView.WaitReason = "Waiting for maintainer approval"
 +		}
  		jobView.Steps = make([]actionsStepDetailView, 0, len(steps))
  		for _, step := range steps {
  			jobView.Steps = append(jobView.Steps, actionsStepDetailViewFromRow(step, owner, repoName, run.RunIndex, job.JobIndex, now))

internal/web/handlers/repo/actions_approval.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package repo
++
 +import (
 +	"errors"
 +	"net/http"
++
 +	"github.com/jackc/pgx/v5"
++
 +	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
 +	"github.com/tenseleyFlow/shithub/internal/auth/audit"
 +	"github.com/tenseleyFlow/shithub/internal/auth/policy"
 +	"github.com/tenseleyFlow/shithub/internal/web/middleware"
 +	"github.com/tenseleyFlow/shithub/internal/worker"
 +)
++
 +func (h *Handlers) repoActionRunApprove(w http.ResponseWriter, r *http.Request) {
 +	h.repoActionRunApprovalDecision(w, r, true)
 +}
++
 +func (h *Handlers) repoActionRunReject(w http.ResponseWriter, r *http.Request) {
 +	h.repoActionRunApprovalDecision(w, r, false)
 +}
++
 +func (h *Handlers) repoActionRunApprovalDecision(w http.ResponseWriter, r *http.Request, approve bool) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionActionsApprove)
 +	if !ok {
 +		return
 +	}
 +	runIndex, ok := parsePositiveInt64Param(r, "runIndex")
 +	if !ok {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	run, err := actionsdb.New().GetWorkflowRunForRepoByIndex(r.Context(), h.d.Pool, actionsdb.GetWorkflowRunForRepoByIndexParams{
 +		RepoID:   row.ID,
 +		RunIndex: runIndex,
 +	})
 +	if err != nil {
 +		if errors.Is(err, pgx.ErrNoRows) {
 +			h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		} else {
 +			h.d.Logger.WarnContext(r.Context(), "repo actions: lookup run for approval", "repo_id", row.ID, "run_index", runIndex, "error", err)
 +			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		}
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	var action audit.Action
 +	if approve {
 +		if _, err := actionslifecycle.ApproveRun(r.Context(), actionslifecycle.Deps{Pool: h.d.Pool, Logger: h.d.Logger}, run.ID, viewer.ID); err != nil {
 +			h.writeRepoApprovalError(w, r, run.ID, err)
 +			return
 +		}
 +		action = audit.ActionWorkflowRunApproved
 +		_ = worker.Notify(r.Context(), h.d.Pool)
 +	} else {
 +		if _, err := actionslifecycle.RejectRun(r.Context(), actionslifecycle.Deps{Pool: h.d.Pool, Logger: h.d.Logger}, run.ID, viewer.ID); err != nil {
 +			h.writeRepoApprovalError(w, r, run.ID, err)
 +			return
 +		}
 +		action = audit.ActionWorkflowRunRejected
 +	}
 +	actor, meta := viewer.AuditActor(map[string]any{
 +		"run_id":        run.ID,
 +		"run_index":     run.RunIndex,
 +		"workflow_file": run.WorkflowFile,
 +		"event":         string(run.Event),
 +		"head_ref":      run.HeadRef,
 +		"head_sha":      run.HeadSha,
 +	})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, actor, action, audit.TargetRepo, row.ID, meta)
 +	http.Redirect(w, r, repoActionRunHref(owner.Username, row.Name, runIndex), http.StatusSeeOther)
 +}
++
 +func (h *Handlers) writeRepoApprovalError(w http.ResponseWriter, r *http.Request, runID int64, err error) {
 +	switch {
 +	case errors.Is(err, actionslifecycle.ErrRunNotApprovalPending):
 +		h.d.Render.HTTPError(w, r, http.StatusConflict, "run is not pending approval")
 +	case errors.Is(err, actionslifecycle.ErrApprovalActorRequired):
 +		h.d.Render.HTTPError(w, r, http.StatusUnauthorized, "approval actor required")
 +	default:
 +		h.d.Logger.WarnContext(r.Context(), "repo actions: approval decision", "run_id", runID, "error", err)
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +	}
 +}

internal/web/handlers/repo/actions_cancel.gomodified

  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, viewer.PolicyActor(), policy.ActionRepoWrite, policy.NewRepoRefFromRepo(row))
 +	repoRef := policy.NewRepoRefFromRepo(row)
 +	if view.ApprovalPending {
 +		approvalDec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, viewer.PolicyActor(), policy.ActionActionsApprove, repoRef)
 +		if approvalDec.Allow {
 +			view.CanApprove = true
 +		}
 +	}
 +	dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, viewer.PolicyActor(), policy.ActionRepoWrite, repoRef)
  	if !dec.Allow {
  		return
+ 	}

internal/web/handlers/repo/actions_test.gomodified

+ 	}
+ }
 +func TestRepoActionRunApprovalControlsAndDecisions(t *testing.T) {
 +	t.Parallel()
 +	f := newRepoFixture(t)
 +	now := time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC)
 +	runID := f.insertWorkflowRun(t, workflowRunFixture{
 +		RunIndex:       31,
 +		WorkflowFile:   ".shithub/workflows/pr.yml",
 +		WorkflowName:   "PR",
 +		HeadRef:        "refs/heads/contrib",
 +		Event:          actionsdb.WorkflowRunEventPullRequest,
 +		Status:         actionsdb.WorkflowRunStatusQueued,
 +		ActorUserID:    f.stranger.ID,
 +		CreatedOffset:  -5 * time.Minute,
 +		NeedApproval:   true,
 +		ApprovalReason: "Pull request workflow requires maintainer approval before runner dispatch.",
 +	}, now)
 +	f.insertWorkflowJob(t, workflowJobFixture{
 +		RunID:    runID,
 +		JobIndex: 0,
 +		JobKey:   "build",
 +		JobName:  "Build",
 +		RunsOn:   "ubuntu-latest",
 +		Status:   actionsdb.WorkflowJobStatusQueued,
 +	})
++
 +	resp := httptest.NewRecorder()
 +	req := httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/31", nil)
 +	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)
 +	if resp.Code != http.StatusOK {
 +		t.Fatalf("owner status=%d body=%s", resp.Code, resp.Body.String())
 +	}
 +	body := resp.Body.String()
 +	for _, want := range []string{
 +		"RUN=PR:#31:pull_request:bob:pending;",
 +		"APPROVE=/alice/public-repo/actions/runs/31/approve;",
 +		"REJECT=/alice/public-repo/actions/runs/31/reject;",
 +		"APPROVAL_PENDING=Pull request workflow requires maintainer approval before runner dispatch.;",
 +		"WAIT=Waiting for maintainer approval;",
 +	} {
 +		if !strings.Contains(body, want) {
 +			t.Fatalf("approval body missing %q in %s", want, body)
 +		}
 +	}
++
 +	resp = httptest.NewRecorder()
 +	req = httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/31", nil)
 +	f.actionsMux(viewerFor(f.stranger)).ServeHTTP(resp, req)
 +	if resp.Code != http.StatusOK {
 +		t.Fatalf("stranger status=%d body=%s", resp.Code, resp.Body.String())
 +	}
 +	if strings.Contains(resp.Body.String(), "APPROVE=") || strings.Contains(resp.Body.String(), "REJECT=") {
 +		t.Fatalf("approval controls leaked to stranger: %s", resp.Body.String())
 +	}
++
 +	resp = httptest.NewRecorder()
 +	req = httptest.NewRequest(http.MethodPost, "/alice/public-repo/actions/runs/31/approve", nil)
 +	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)
 +	if resp.Code != http.StatusSeeOther {
 +		t.Fatalf("approve status=%d body=%s", resp.Code, resp.Body.String())
 +	}
 +	run, err := actionsdb.New().GetWorkflowRunByID(context.Background(), f.pool, runID)
 +	if err != nil {
 +		t.Fatalf("GetWorkflowRunByID: %v", err)
 +	}
 +	if !run.ApprovedByUserID.Valid || run.ApprovedByUserID.Int64 != f.owner.ID {
 +		t.Fatalf("approved_by not recorded: %+v", run)
 +	}
++
 +	rejectRunID := f.insertWorkflowRun(t, workflowRunFixture{
 +		RunIndex:     32,
 +		WorkflowFile: ".shithub/workflows/pr.yml",
 +		WorkflowName: "PR",
 +		HeadRef:      "refs/heads/contrib",
 +		Event:        actionsdb.WorkflowRunEventPullRequest,
 +		Status:       actionsdb.WorkflowRunStatusQueued,
 +		ActorUserID:  f.stranger.ID,
 +		NeedApproval: true,
 +	}, now)
 +	jobID := f.insertWorkflowJob(t, workflowJobFixture{
 +		RunID:    rejectRunID,
 +		JobIndex: 0,
 +		JobKey:   "build",
 +		JobName:  "Build",
 +		Status:   actionsdb.WorkflowJobStatusQueued,
 +	})
 +	resp = httptest.NewRecorder()
 +	req = httptest.NewRequest(http.MethodPost, "/alice/public-repo/actions/runs/32/reject", nil)
 +	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)
 +	if resp.Code != http.StatusSeeOther {
 +		t.Fatalf("reject status=%d body=%s", resp.Code, resp.Body.String())
 +	}
 +	run, err = actionsdb.New().GetWorkflowRunByID(context.Background(), f.pool, rejectRunID)
 +	if err != nil {
 +		t.Fatalf("GetWorkflowRunByID rejected: %v", err)
 +	}
 +	if run.Status != actionsdb.WorkflowRunStatusCompleted ||
 +		!run.Conclusion.Valid || run.Conclusion.CheckConclusion != actionsdb.CheckConclusionActionRequired {
 +		t.Fatalf("rejected run: %+v", run)
 +	}
 +	job, err := actionsdb.New().GetWorkflowJobByID(context.Background(), f.pool, jobID)
 +	if err != nil {
 +		t.Fatalf("GetWorkflowJobByID rejected: %v", err)
 +	}
 +	if job.Status != actionsdb.WorkflowJobStatusCancelled ||
 +		!job.Conclusion.Valid || job.Conclusion.CheckConclusion != actionsdb.CheckConclusionActionRequired {
 +		t.Fatalf("rejected job: %+v", job)
 +	}
 +}
++
  func TestRepoActionRunCancelCancelsQueuedRun(t *testing.T) {
  	t.Parallel()
  	f := newRepoFixture(t)
  	mux.Get("/{owner}/{repo}/actions/runs/{runIndex}", f.handlers.repoActionRun)
  	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/cancel", f.handlers.repoActionRunCancel)
  	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/rerun", f.handlers.repoActionRunRerun)
 +	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/approve", f.handlers.repoActionRunApprove)
 +	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/reject", f.handlers.repoActionRunReject)
  	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/jobs/{jobIndex}/cancel", f.handlers.repoActionJobCancel)
  	mux.Post("/{owner}/{repo}/actions/workflows/{file}/dispatches", f.handlers.repoActionsDispatch)
  	mux.Get("/{owner}/{repo}/actions", f.handlers.repoTabActions)
+ }
  type workflowRunFixture struct {
 -	RunIndex      int64
 -	WorkflowFile  string
 -	WorkflowName  string
 -	HeadSHA       string
 -	HeadRef       string
 -	Event         actionsdb.WorkflowRunEvent
 -	EventPayload  string
 -	Status        actionsdb.WorkflowRunStatus
 -	Conclusion    actionsdb.CheckConclusion
 -	ActorUserID   int64
 -	CreatedOffset time.Duration
 -	StartedOffset time.Duration
 -	DoneOffset    time.Duration
 -	RepoID        int64
 +	RunIndex       int64
 +	WorkflowFile   string
 +	WorkflowName   string
 +	HeadSHA        string
 +	HeadRef        string
 +	Event          actionsdb.WorkflowRunEvent
 +	EventPayload   string
 +	Status         actionsdb.WorkflowRunStatus
 +	Conclusion     actionsdb.CheckConclusion
 +	ActorUserID    int64
 +	CreatedOffset  time.Duration
 +	StartedOffset  time.Duration
 +	DoneOffset     time.Duration
 +	RepoID         int64
 +	NeedApproval   bool
 +	ApprovalReason string
+ }
  func (f *repoFixture) insertWorkflowRun(t *testing.T, fx workflowRunFixture, base time.Time) int64 {
  		INSERT INTO workflow_runs (
  			repo_id, run_index, workflow_file, workflow_name,
  			head_sha, head_ref, event, event_payload, actor_user_id,
 -			status, conclusion, started_at, completed_at, created_at, updated_at
 +			status, conclusion, need_approval, started_at, completed_at, created_at, updated_at
  		) VALUES (
  			$1, $2, $3, $4,
  			$5, $6, $7, $8::jsonb, $9,
 -			$10, $11, $12, $13, $14, $15
 +			$10, $11, $12, $13, $14, $15, $16
+ 		)
  		RETURNING id`,
  		repoID,
  		fx.ActorUserID,
  		fx.Status,
  		conclusion,
 +		fx.NeedApproval,
  		startedAt,
  		completedAt,
  		createdAt,
  	if err != nil {
  		t.Fatalf("insert workflow run %d: %v", fx.RunIndex, err)
+ 	}
 +	if fx.NeedApproval {
 +		reason := fx.ApprovalReason
 +		if reason == "" {
 +			reason = "approval required"
 +		}
 +		if _, err := actionsdb.New().InsertWorkflowRunApproval(context.Background(), f.pool, actionsdb.InsertWorkflowRunApprovalParams{
 +			RunID:           id,
 +			RequestedReason: reason,
 +		}); err != nil {
 +			t.Fatalf("insert workflow approval %d: %v", fx.RunIndex, err)
 +		}
 +	}
  	return id
+ }

internal/web/handlers/repo/repo.gomodified

  func (h *Handlers) MountRepoActionsAPI(r chi.Router) {
  	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/cancel", h.repoActionRunCancel)
  	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/rerun", h.repoActionRunRerun)
 +	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/approve", h.repoActionRunApprove)
 +	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/reject", h.repoActionRunReject)
  	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/jobs/{jobIndex}/cancel", h.repoActionJobCancel)
  	r.Post("/{owner}/{repo}/actions/workflows/{file}/dispatches", h.repoActionsDispatch)
+ }

internal/web/handlers/repo/repo_test.gomodified

  		"repo/new.html":                {Data: []byte(`{{ define "page" }}OWNERS={{ range .Owners }}{{ .Token }}:{{ if eq .Token $.Form.Owner }}selected{{ end }}:{{ .Slug }};{{ end }}{{ end }}`)},
  		"repo/actions.html":            {Data: []byte(`{{ define "page" }}COUNT={{ .RunCount }};FILTERED={{ .FilteredRunCount }};PAGE={{ .Pagination.ResultText }};{{ range .DispatchWorkflows }}DISPATCH={{ .Name }}:{{ .DispatchHref }}:{{ range .Inputs }}{{ .Name }}/{{ .Type }}/{{ .Required }}/{{ .Default }}/{{ range .Options }}{{ .Value }}|{{ end }},{{ end }};{{ end }}{{ range .Workflows }}WF={{ .Name }}:{{ .Count }}:{{ .Active }};{{ end }}{{ range .Runs }}RUN={{ .Title }}:#{{ .RunIndex }}:{{ .Event }}:{{ .HeadRef }}:{{ .ActorUsername }}:{{ .StateClass }};{{ end }}{{ end }}`)},
  		"repo/_action_run_status.html": {Data: []byte(`{{ define "action-run-status" }}STATUS={{ .Run.StateClass }}:{{ .Run.IsTerminal }}:{{ .Run.StatusHref }};{{ end }}`)},
 -		"repo/action_run.html":         {Data: []byte(`{{ define "page" }}RUN={{ .Run.Title }}:#{{ .Run.RunIndex }}:{{ .Run.Event }}:{{ .Run.ActorUsername }}:{{ .Run.StateClass }};{{ if .Run.ParentRunHref }}PARENT={{ .Run.ParentRunIndex }}:{{ .Run.ParentRunHref }};{{ end }}{{ if .Run.CanRerun }}RERUN={{ .Run.RerunHref }};{{ end }}{{ if .Run.CanCancel }}CANCEL_RUN={{ .Run.CancelHref }};{{ end }}SUMMARY={{ .Run.JobCount }}:{{ .Run.CompletedCount }}:{{ .Run.FailureCount }}:{{ .Run.ArtifactCount }};{{ range .Run.Jobs }}JOB={{ .Name }}:{{ .StateClass }}:{{ .NeedsText }}:{{ .RunsOn }};{{ if .WaitReason }}WAIT={{ .WaitReason }};{{ end }}{{ if .CanCancel }}CANCEL_JOB={{ .CancelHref }};{{ end }}{{ if .CancelRequested }}CANCEL_REQUESTED={{ .Name }};{{ end }}{{ range .Steps }}STEP={{ .Name }}:{{ .StateClass }}:{{ .LogHref }};{{ end }}{{ end }}{{ end }}`)},
 +		"repo/action_run.html":         {Data: []byte(`{{ define "page" }}RUN={{ .Run.Title }}:#{{ .Run.RunIndex }}:{{ .Run.Event }}:{{ .Run.ActorUsername }}:{{ .Run.StateClass }};{{ if .Run.ParentRunHref }}PARENT={{ .Run.ParentRunIndex }}:{{ .Run.ParentRunHref }};{{ end }}{{ if .Run.CanRerun }}RERUN={{ .Run.RerunHref }};{{ end }}{{ if .Run.CanCancel }}CANCEL_RUN={{ .Run.CancelHref }};{{ end }}{{ if .Run.CanApprove }}APPROVE={{ .Run.ApproveHref }};REJECT={{ .Run.RejectHref }};{{ end }}{{ if .Run.ApprovalPending }}APPROVAL_PENDING={{ .Run.ApprovalReason }};{{ end }}SUMMARY={{ .Run.JobCount }}:{{ .Run.CompletedCount }}:{{ .Run.FailureCount }}:{{ .Run.ArtifactCount }};{{ range .Run.Jobs }}JOB={{ .Name }}:{{ .StateClass }}:{{ .NeedsText }}:{{ .RunsOn }};{{ if .WaitReason }}WAIT={{ .WaitReason }};{{ end }}{{ if .CanCancel }}CANCEL_JOB={{ .CancelHref }};{{ end }}{{ if .CancelRequested }}CANCEL_REQUESTED={{ .Name }};{{ end }}{{ range .Steps }}STEP={{ .Name }}:{{ .StateClass }}:{{ .LogHref }};{{ end }}{{ end }}{{ end }}`)},
  		"repo/action_run_status.html":  {Data: []byte(`{{ define "page" }}{{ template "action-run-status" . }}{{ end }}`)},
  		"repo/action_step_log.html":    {Data: []byte(`{{ define "page" }}STEPLOG={{ .Log.Job.Name }}:{{ .Log.Step.Name }}:{{ .Log.LogSource }}:{{ .Log.DownloadURL }}:{{ .Log.LogTruncated }};{{ with .Log.StreamHref }}STREAM={{ . }};{{ end }}{{ with .Log.LogError }}ERROR={{ . }};{{ end }}LOG={{ .Log.LogText }};{{ end }}`)},
 +		"repo/settings_actions.html":   {Data: []byte(`{{ define "page" }}POLICY={{ .Policy.ActionsEnabled }}:{{ .Policy.RequirePRApproval }}:{{ .Policy.EffectiveActionsEnabled }}:{{ .Policy.EffectiveRequirePRApproval }}:{{ .Policy.EffectiveMaxRepoQueuedRuns }};{{ with .Error }}ERROR={{ . }}{{ end }}{{ end }}`)},
  		"repo/settings_secrets.html":   {Data: []byte(`{{ define "page" }}{{ with .Error }}ERROR={{ . }}{{ end }}{{ range .Secrets }}SECRET={{ .Name }};{{ end }}{{ range .Variables }}VAR={{ .Name }}:{{ .Value }};{{ end }}{{ end }}`)},
+ 	}
+ }

internal/web/handlers/repo/settings_actions.gomodified

  import (
  	"errors"
 +	"fmt"
  	"net/http"
 +	"strconv"
  	"strings"
  	"github.com/go-chi/chi/v5"
 +	"github.com/jackc/pgx/v5"
 +	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/tenseleyFlow/shithub/internal/actions/secrets"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
  	actionsvars "github.com/tenseleyFlow/shithub/internal/actions/variables"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/policy"
  // MountSettingsActions registers the Actions secrets + variables settings
  // routes. Caller wraps with RequireUser; per-route policy gates inside.
  func (h *Handlers) MountSettingsActions(r chi.Router) {
 +	r.Get("/{owner}/{repo}/settings/actions", h.settingsActionsPolicy)
 +	r.Post("/{owner}/{repo}/settings/actions", h.settingsActionsPolicyUpdate)
  	r.Get("/{owner}/{repo}/settings/secrets/actions", h.settingsActionsSecrets)
  	r.Post("/{owner}/{repo}/settings/secrets/actions", h.settingsActionsSecretSet)
  	r.Post("/{owner}/{repo}/settings/secrets/actions/{name}/delete", h.settingsActionsSecretDelete)
  	r.Post("/{owner}/{repo}/settings/variables/actions/{name}/delete", h.settingsActionsVariableDelete)
+ }
 +type repoActionsPolicyForm struct {
 +	ActionsEnabled              string
 +	RequirePRApproval           string
 +	MaxRepoQueuedRuns           string
 +	MaxRepoConcurrentJobs       string
 +	MaxOwnerConcurrentJobs      string
 +	ActorTriggerLimitPerHour    string
 +	EffectiveActionsEnabled     bool
 +	EffectiveRequirePRApproval  bool
 +	EffectiveMaxRepoQueuedRuns  int32
 +	EffectiveMaxRepoConcurrent  int32
 +	EffectiveMaxOwnerConcurrent int32
 +	EffectiveActorHourlyLimit   int32
 +}
++
 +func (h *Handlers) settingsActionsPolicy(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsActions)
 +	if !ok {
 +		return
 +	}
 +	h.renderRepoActionsPolicySettings(w, r, row, owner.Username, "", settingsNoticeMessage(r.URL.Query().Get("notice")))
 +}
++
 +func (h *Handlers) settingsActionsPolicyUpdate(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsActions)
 +	if !ok {
 +		return
 +	}
 +	if err := r.ParseForm(); err != nil {
 +		http.Error(w, "form parse", http.StatusBadRequest)
 +		return
 +	}
 +	form, err := repoActionsPolicyFormFromRequest(r)
 +	if err != nil {
 +		h.renderRepoActionsPolicySettings(w, r, row, owner.Username, err.Error(), "")
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if _, err := actionsdb.New().UpsertActionsRepoPolicy(r.Context(), h.d.Pool, actionsdb.UpsertActionsRepoPolicyParams{
 +		RepoID:                   row.ID,
 +		ActionsEnabled:           actionsdb.ActionsPolicyState(form.ActionsEnabled),
 +		RequirePrApproval:        nullableBoolSetting(form.RequirePRApproval),
 +		MaxRepoQueuedRuns:        nullableInt4Setting(form.MaxRepoQueuedRuns),
 +		MaxRepoConcurrentJobs:    nullableInt4Setting(form.MaxRepoConcurrentJobs),
 +		MaxOwnerConcurrentJobs:   nullableInt4Setting(form.MaxOwnerConcurrentJobs),
 +		ActorTriggerLimitPerHour: nullableInt4Setting(form.ActorTriggerLimitPerHour),
 +		UpdatedByUserID:          pgtype.Int8{Int64: viewer.ID, Valid: viewer.ID != 0},
 +	}); err != nil {
 +		h.d.Logger.WarnContext(r.Context(), "actions policy: update repo", "repo_id", row.ID, "error", err)
 +		h.renderRepoActionsPolicySettings(w, r, row, owner.Username, "Could not save Actions policy.", "")
 +		return
 +	}
 +	actor, meta := viewer.AuditActor(map[string]any{
 +		"actions_enabled":              form.ActionsEnabled,
 +		"require_pr_approval":          form.RequirePRApproval,
 +		"max_repo_queued_runs":         form.MaxRepoQueuedRuns,
 +		"max_repo_concurrent_jobs":     form.MaxRepoConcurrentJobs,
 +		"max_owner_concurrent_jobs":    form.MaxOwnerConcurrentJobs,
 +		"actor_trigger_limit_per_hour": form.ActorTriggerLimitPerHour,
 +	})
 +	_ = h.d.Audit.Record(r.Context(), h.d.Pool, actor, audit.ActionActionsPolicyUpdated, audit.TargetRepo, row.ID, meta)
 +	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/actions?notice=saved", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) renderRepoActionsPolicySettings(w http.ResponseWriter, r *http.Request, row reposdb.Repo, owner, errMsg, notice string) {
 +	form, loadErr := h.loadRepoActionsPolicyForm(r, row.ID)
 +	if loadErr != nil {
 +		h.d.Logger.WarnContext(r.Context(), "actions policy: load repo settings", "repo_id", row.ID, "error", loadErr)
 +		errMsg = "Could not load Actions policy."
 +	}
 +	data := map[string]any{
 +		"CSRFToken":      middleware.CSRFTokenForRequest(r),
 +		"Title":          "Actions settings · " + row.Name,
 +		"Owner":          owner,
 +		"Repo":           row,
 +		"SettingsActive": "actions",
 +		"Error":          errMsg,
 +		"Notice":         notice,
 +		"Policy":         form,
 +	}
 +	h.d.Render.RenderPage(w, r, "repo/settings_actions", data)
 +}
++
 +func (h *Handlers) loadRepoActionsPolicyForm(r *http.Request, repoID int64) (repoActionsPolicyForm, error) {
 +	q := actionsdb.New()
 +	eff, err := q.GetEffectiveActionsPolicyForRepo(r.Context(), h.d.Pool, repoID)
 +	if err != nil {
 +		return repoActionsPolicyForm{}, err
 +	}
 +	form := repoActionsPolicyForm{
 +		ActionsEnabled:              "inherit",
 +		RequirePRApproval:           "inherit",
 +		EffectiveActionsEnabled:     eff.ActionsEnabled,
 +		EffectiveRequirePRApproval:  eff.RequirePrApproval,
 +		EffectiveMaxRepoQueuedRuns:  eff.MaxRepoQueuedRuns,
 +		EffectiveMaxRepoConcurrent:  eff.MaxRepoConcurrentJobs,
 +		EffectiveMaxOwnerConcurrent: eff.MaxOwnerConcurrentJobs,
 +		EffectiveActorHourlyLimit:   eff.ActorTriggerLimitPerHour,
 +	}
 +	row, err := q.GetActionsRepoPolicy(r.Context(), h.d.Pool, repoID)
 +	if err != nil {
 +		if errors.Is(err, pgx.ErrNoRows) {
 +			return form, nil
 +		}
 +		return repoActionsPolicyForm{}, err
 +	}
 +	form.ActionsEnabled = string(row.ActionsEnabled)
 +	form.RequirePRApproval = nullableBoolSettingString(row.RequirePrApproval)
 +	form.MaxRepoQueuedRuns = nullableInt4SettingString(row.MaxRepoQueuedRuns)
 +	form.MaxRepoConcurrentJobs = nullableInt4SettingString(row.MaxRepoConcurrentJobs)
 +	form.MaxOwnerConcurrentJobs = nullableInt4SettingString(row.MaxOwnerConcurrentJobs)
 +	form.ActorTriggerLimitPerHour = nullableInt4SettingString(row.ActorTriggerLimitPerHour)
 +	return form, nil
 +}
++
 +func repoActionsPolicyFormFromRequest(r *http.Request) (repoActionsPolicyForm, error) {
 +	form := repoActionsPolicyForm{
 +		ActionsEnabled:           strings.TrimSpace(r.PostFormValue("actions_enabled")),
 +		RequirePRApproval:        strings.TrimSpace(r.PostFormValue("require_pr_approval")),
 +		MaxRepoQueuedRuns:        strings.TrimSpace(r.PostFormValue("max_repo_queued_runs")),
 +		MaxRepoConcurrentJobs:    strings.TrimSpace(r.PostFormValue("max_repo_concurrent_jobs")),
 +		MaxOwnerConcurrentJobs:   strings.TrimSpace(r.PostFormValue("max_owner_concurrent_jobs")),
 +		ActorTriggerLimitPerHour: strings.TrimSpace(r.PostFormValue("actor_trigger_limit_per_hour")),
 +	}
 +	switch form.ActionsEnabled {
 +	case "inherit", "enabled", "disabled":
 +	default:
 +		return repoActionsPolicyForm{}, errors.New("Invalid Actions enablement setting.")
 +	}
 +	switch form.RequirePRApproval {
 +	case "inherit", "true", "false":
 +	default:
 +		return repoActionsPolicyForm{}, errors.New("Invalid pull request approval setting.")
 +	}
 +	for label, value := range map[string]string{
 +		"queued run cap":           form.MaxRepoQueuedRuns,
 +		"repository concurrency":   form.MaxRepoConcurrentJobs,
 +		"owner concurrency":        form.MaxOwnerConcurrentJobs,
 +		"actor hourly trigger cap": form.ActorTriggerLimitPerHour,
 +	} {
 +		if err := validateOptionalNonnegativeInt(value); err != nil {
 +			return repoActionsPolicyForm{}, fmt.Errorf("Invalid %s.", label)
 +		}
 +	}
 +	return form, nil
 +}
++
 +func validateOptionalNonnegativeInt(v string) error {
 +	if v == "" {
 +		return nil
 +	}
 +	n, err := strconv.ParseInt(v, 10, 32)
 +	if err != nil || n < 0 {
 +		return errors.New("invalid integer")
 +	}
 +	return nil
 +}
++
 +func nullableBoolSetting(v string) pgtype.Bool {
 +	switch v {
 +	case "true":
 +		return pgtype.Bool{Bool: true, Valid: true}
 +	case "false":
 +		return pgtype.Bool{Bool: false, Valid: true}
 +	default:
 +		return pgtype.Bool{}
 +	}
 +}
++
 +func nullableBoolSettingString(v pgtype.Bool) string {
 +	if !v.Valid {
 +		return "inherit"
 +	}
 +	if v.Bool {
 +		return "true"
 +	}
 +	return "false"
 +}
++
 +func nullableInt4Setting(v string) pgtype.Int4 {
 +	if v == "" {
 +		return pgtype.Int4{}
 +	}
 +	n, _ := strconv.ParseInt(v, 10, 32)
 +	return pgtype.Int4{Int32: int32(n), Valid: true}
 +}
++
 +func nullableInt4SettingString(v pgtype.Int4) string {
 +	if !v.Valid {
 +		return ""
 +	}
 +	return strconv.FormatInt(int64(v.Int32), 10)
 +}
++
  func (h *Handlers) settingsActionsSecrets(w http.ResponseWriter, r *http.Request) {
  	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsActions)
  	if !ok {

internal/web/handlers/repo/settings_actions_test.gomodified

+ 	}
+ }
 +func TestSettingsActionsPolicyCRUD(t *testing.T) {
 +	t.Parallel()
 +	f := newRepoFixture(t)
 +	mux := f.actionsSettingsMux(f.owner.ID, f.owner.Username)
++
 +	resp := httptest.NewRecorder()
 +	req := httptest.NewRequest(http.MethodGet, "/alice/public-repo/settings/actions", nil)
 +	mux.ServeHTTP(resp, req)
 +	if resp.Code != http.StatusOK {
 +		t.Fatalf("GET policy status=%d body=%s", resp.Code, resp.Body.String())
 +	}
 +	if got := resp.Body.String(); !strings.Contains(got, "POLICY=inherit:inherit:true:true:50;") {
 +		t.Fatalf("default policy missing: %s", got)
 +	}
++
 +	resp = httptest.NewRecorder()
 +	req = newFormRequest(http.MethodPost, "/alice/public-repo/settings/actions", url.Values{
 +		"actions_enabled":              {"disabled"},
 +		"require_pr_approval":          {"false"},
 +		"max_repo_queued_runs":         {"3"},
 +		"max_repo_concurrent_jobs":     {"2"},
 +		"max_owner_concurrent_jobs":    {"5"},
 +		"actor_trigger_limit_per_hour": {"7"},
 +	})
 +	mux.ServeHTTP(resp, req)
 +	if resp.Code != http.StatusSeeOther {
 +		t.Fatalf("POST policy status=%d body=%s", resp.Code, resp.Body.String())
 +	}
++
 +	resp = httptest.NewRecorder()
 +	req = httptest.NewRequest(http.MethodGet, "/alice/public-repo/settings/actions", nil)
 +	mux.ServeHTTP(resp, req)
 +	if resp.Code != http.StatusOK {
 +		t.Fatalf("GET saved policy status=%d body=%s", resp.Code, resp.Body.String())
 +	}
 +	if got := resp.Body.String(); !strings.Contains(got, "POLICY=disabled:false:false:false:3;") {
 +		t.Fatalf("saved policy missing: %s", got)
 +	}
 +}
++
  func (f *repoFixture) actionsSettingsMux(userID int64, username string) http.Handler {
  	mux := chi.NewRouter()
  	mux.Use(func(next http.Handler) http.Handler {

internal/web/static/css/shithub.cssmodified

    color: var(--fg-muted);
    font-size: 0.82rem;
+ }
 +.shithub-actions-approval-box {
 +  display: flex;
 +  flex-direction: column;
 +  gap: 0.35rem;
 +  margin-bottom: 1rem;
 +  padding: 1rem;
 +  border: 1px solid var(--border-default);
 +  border-radius: 6px;
 +  background: var(--canvas-subtle);
 +}
 +.shithub-actions-approval-box strong {
 +  display: inline-flex;
 +  align-items: center;
 +  gap: 0.4rem;
 +}
 +.shithub-actions-approval-box p {
 +  margin: 0;
 +  color: var(--fg-muted);
 +}
  .shithub-actions-workflow-card,
  .shithub-actions-annotations {
    border: 1px solid var(--border-default);

internal/web/templates/_repo_settings_nav.htmlmodified

        <li{{ if eq .SettingsActive "webhooks" }} class="active"{{ end }}>
          <a href="/{{ .Owner }}/{{ .Repo.Name }}/settings/webhooks">Webhooks</a>
        </li>
 +      <li{{ if eq .SettingsActive "actions" }} class="active"{{ end }}>
 +        <a href="/{{ .Owner }}/{{ .Repo.Name }}/settings/actions">Actions</a>
 +      </li>
        <li{{ if eq .SettingsActive "actions-secrets" }} class="active"{{ end }}>
          <a href="/{{ .Owner }}/{{ .Repo.Name }}/settings/secrets/actions">Actions secrets</a>
        </li>

internal/web/templates/repo/action_run.htmlmodified

            <button type="submit" class="shithub-button">{{ octicon "history" }} Re-run jobs</button>
          </form>
        {{ end }}
 +      {{ if and .Run.ApprovalPending .Run.CanApprove }}
 +        <form method="POST" action="{{ .Run.ApproveHref }}" class="shithub-actions-inline-form">
 +          <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +          <button type="submit" class="shithub-button shithub-button-primary">{{ octicon "check" }} Approve and run</button>
 +        </form>
 +        <form method="POST" action="{{ .Run.RejectHref }}" class="shithub-actions-inline-form">
 +          <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +          <button type="submit" class="shithub-button shithub-button-danger">{{ octicon "x" }} Reject</button>
 +        </form>
 +      {{ end }}
        {{ if .Run.CanCancel }}
          <form method="POST" action="{{ .Run.CancelHref }}" class="shithub-actions-inline-form">
            <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
      </aside>
      <div class="shithub-actions-run-main">
 +      {{ if .Run.ApprovalPending }}
 +        <section class="shithub-actions-approval-box">
 +          <strong>{{ octicon "clock" }} Waiting for approval</strong>
 +          <p>{{ if .Run.ApprovalReason }}{{ .Run.ApprovalReason }}{{ else }}This workflow is paused until a maintainer approves it.{{ end }}</p>
 +        </section>
 +      {{ else if .Run.ApprovalRejected }}
 +        <section class="shithub-actions-approval-box">
 +          <strong>{{ octicon "x-circle" }} Workflow rejected</strong>
 +          <p>This run was not dispatched to a runner.</p>
 +        </section>
 +      {{ end }}
++
        <section id="summary" class="shithub-actions-summary-strip">
          <div>
            <span>Triggered via</span>

internal/web/templates/repo/settings_actions.htmladded

 +{{ define "page" -}}
 +<div class="shithub-settings-page">
 +  {{ template "repo-settings-nav" . }}
 +  <div class="shithub-settings-content">
 +    <h1>Actions settings</h1>
 +    {{ with .Notice }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}
 +    {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}
++
 +    <section class="shithub-settings-section">
 +      <h2>Actions policy</h2>
 +      <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/actions" novalidate>
 +        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +        <label>
 +          <span>Actions</span>
 +          <select name="actions_enabled">
 +            <option value="inherit"{{ if eq .Policy.ActionsEnabled "inherit" }} selected{{ end }}>Use inherited policy</option>
 +            <option value="enabled"{{ if eq .Policy.ActionsEnabled "enabled" }} selected{{ end }}>Enabled</option>
 +            <option value="disabled"{{ if eq .Policy.ActionsEnabled "disabled" }} selected{{ end }}>Disabled</option>
 +          </select>
 +        </label>
 +        <label>
 +          <span>Pull request approval</span>
 +          <select name="require_pr_approval">
 +            <option value="inherit"{{ if eq .Policy.RequirePRApproval "inherit" }} selected{{ end }}>Use inherited policy</option>
 +            <option value="true"{{ if eq .Policy.RequirePRApproval "true" }} selected{{ end }}>Require maintainer approval</option>
 +            <option value="false"{{ if eq .Policy.RequirePRApproval "false" }} selected{{ end }}>Do not require approval</option>
 +          </select>
 +        </label>
 +        <label>
 +          <span>Queued runs per repository</span>
 +          <input type="number" name="max_repo_queued_runs" min="0" step="1" value="{{ .Policy.MaxRepoQueuedRuns }}" placeholder="{{ .Policy.EffectiveMaxRepoQueuedRuns }}">
 +        </label>
 +        <label>
 +          <span>Concurrent jobs per repository</span>
 +          <input type="number" name="max_repo_concurrent_jobs" min="0" step="1" value="{{ .Policy.MaxRepoConcurrentJobs }}" placeholder="{{ .Policy.EffectiveMaxRepoConcurrent }}">
 +        </label>
 +        <label>
 +          <span>Concurrent jobs per owner</span>
 +          <input type="number" name="max_owner_concurrent_jobs" min="0" step="1" value="{{ .Policy.MaxOwnerConcurrentJobs }}" placeholder="{{ .Policy.EffectiveMaxOwnerConcurrent }}">
 +        </label>
 +        <label>
 +          <span>Triggers per actor per hour</span>
 +          <input type="number" name="actor_trigger_limit_per_hour" min="0" step="1" value="{{ .Policy.ActorTriggerLimitPerHour }}" placeholder="{{ .Policy.EffectiveActorHourlyLimit }}">
 +        </label>
 +        <button type="submit" class="shithub-button shithub-button-primary">Save policy</button>
 +      </form>
 +    </section>
++
 +    <section class="shithub-settings-section">
 +      <h2>Effective policy</h2>
 +      <table class="shithub-branches-table">
 +        <tbody>
 +          <tr><th>Actions</th><td>{{ if .Policy.EffectiveActionsEnabled }}enabled{{ else }}disabled{{ end }}</td></tr>
 +          <tr><th>Pull request approval</th><td>{{ if .Policy.EffectiveRequirePRApproval }}required{{ else }}not required{{ end }}</td></tr>
 +          <tr><th>Queued runs per repository</th><td>{{ .Policy.EffectiveMaxRepoQueuedRuns }}</td></tr>
 +          <tr><th>Concurrent jobs per repository</th><td>{{ .Policy.EffectiveMaxRepoConcurrent }}</td></tr>
 +          <tr><th>Concurrent jobs per owner</th><td>{{ .Policy.EffectiveMaxOwnerConcurrent }}</td></tr>
 +          <tr><th>Triggers per actor per hour</th><td>{{ .Policy.EffectiveActorHourlyLimit }}</td></tr>
 +        </tbody>
 +      </table>
 +    </section>
 +  </div>
 +</div>
 +{{- end }}