tenseleyflow/shithub / 3ff1cc1

+	"github.com/tenseleyFlow/shithub/internal/infra/metrics"

+			metrics.ActionsRunnerRegistrationsTotal.Inc()

+# Actions runner API

+

+The runner-facing HTTP surface lives in

+`internal/web/handlers/api/runners.go`. It is mounted under `/api/v1`

+in the CSRF-exempt API group, but it does not use PAT auth. Runners

+authenticate first with a long-lived registration token and then with

+short-lived per-job JWTs.

+

+## Auth model

+

+Operators register a runner with:

+

+```sh

+shithubd admin runner register --name runner-1 --labels self-hosted,linux,ubuntu-latest

+```

+

+The command inserts `workflow_runners`, stores only a SHA-256 hash in

+`runner_tokens`, and prints the 32-byte hex token once.

+

+`POST /api/v1/runners/heartbeat` accepts:

+

+```http

+Authorization: Bearer <registration-token>

+```

+

+When a queued job matches the runner labels and capacity is available,

+the response includes a job payload and a 15-minute job JWT. That JWT

+has claims:

+

+```json

+{"sub":"runner:<id>","job_id":1,"run_id":1,"repo_id":1,"exp":0,"jti":"..."}

+```

+

+The signing key is derived from `auth.totp_key_b64` with HKDF label

+`actions-runner-jwt-v1`; the raw TOTP/secretbox key is not used

+directly for JWT signing.

+

+Job JWTs are single-use. Every job endpoint verifies the signature and

+expiry, checks that the path job belongs to the claimed runner/run, and

+then inserts `jti` into `runner_jwt_used`. A replay returns 401. To

+support multi-step runner flows, successful non-terminal job endpoints

+return `next_token` and `next_token_expires_at`.

+

+## Endpoints

+

+`POST /api/v1/runners/heartbeat`

+

+Request body:

+

+```json

+{"labels":["ubuntu-latest","linux"],"capacity":1}

+```

+

+Returns 204 when no matching job is claimable. Returns 200 with

+`token`, `expires_at`, and `job` when a job is claimed. Capacity is

+enforced server-side by counting current `workflow_jobs.status =

+'running'` rows for the runner while holding a row lock on the runner.

+

+`POST /api/v1/jobs/{id}/logs`

+

+Auth: job JWT. Body:

+

+```json

+{"seq":0,"chunk":"aGVsbG8K","step_id":123}

+```

+

+`step_id` is optional for the S41c curl smoke path; when omitted the

+first step in the job receives the chunk. Chunks are base64-decoded,

+capped at 512 KiB raw, and appended to `workflow_step_log_chunks`.

+Duplicate `(step_id, seq)` inserts are accepted as idempotent retries.

+

+`POST /api/v1/jobs/{id}/status`

+

+Auth: job JWT. Body:

+

+```json

+{"status":"completed","conclusion":"success"}

+```

+

+Valid transitions are `queued|running -> running|completed|cancelled`.

+Completed jobs require a valid check conclusion. The handler updates

+`workflow_jobs`, rolls up `workflow_runs`, and best-effort updates the

+matching `check_runs` row created by the trigger pipeline.

+

+`POST /api/v1/jobs/{id}/artifacts/upload`

+

+Auth: job JWT. Body:

+

+```json

+{"name":"test-results.tgz","size_bytes":12345}

+```

+

+Creates a `workflow_artifacts` row and returns a pre-signed S3 PUT URL.

+The object key is `actions/runs/<run_id>/artifacts/<name>`.

+

+`POST /api/v1/jobs/{id}/cancel-check`

+

+Auth: job JWT. Returns:

+

+```json

+{"cancelled":false,"next_token":"..."}

+```

+

+The boolean mirrors `workflow_jobs.cancel_requested`; the actual cancel

+request UI lands later in S41g.

+

+## Metrics

+

+- `shithub_actions_runner_registrations_total`

+- `shithub_actions_runner_heartbeats_total{result="claimed|no_job"}`

+- `shithub_actions_runner_jwt_total{result="issued|rejected|replay"}`

+Migrations 0042–0052, in dependency order:

+| 0050  | `workflow_steps.step_with`  | Parsed `with:` inputs for magic `uses:` aliases               |

+| 0051  | `workflow_runs.trigger_event_id` | Trigger idempotency for retries/admin replays            |

+| 0052  | `runner_jwt_used`           | Single-use replay gate for runner job JWTs                    |

+- **`runner_jwt_used`** — primary-keyed by JWT `jti`. Job endpoints

+  insert into this table during auth; zero inserted rows means replay

+  and the API returns 401. JWTs are HMAC-SHA256 and use an HKDF

+  subkey derived from `auth.totp_key_b64` with label

+  `actions-runner-jwt-v1`.

+- [actions-schema.md](./actions-schema.md),

+  [actions-runner-api.md](./actions-runner-api.md)

+# Actions runner smoke runbook

+

+This runbook drives one queued Actions job with curl. It is for S41c

+operator validation before the real `shithubd-runner` binary lands.

+

+Prereqs:

+

+- Database migrations are current through `0052_runner_jwt_used.sql`.

+- `SHITHUB_TOTP_KEY` or `auth.totp_key_b64` is set on the web process.

+- Object storage is configured if testing artifact upload.

+- A repo has a workflow under `.shithub/workflows/*.yml` with

+  `runs-on: ubuntu-latest`, and a push/dispatch has enqueued a run.

+

+Register a runner:

+

+```sh

+shithubd admin runner register \

+  --name runner-1 \

+  --labels self-hosted,linux,ubuntu-latest \

+  --capacity 1

+```

+

+Save the printed token:

+

+```sh

+export RUNNER_TOKEN='<printed-token>'

+export BASE='https://shithub.example'

+```

+

+Claim a job:

+

+```sh

+curl -fsS "$BASE/api/v1/runners/heartbeat" \

+  -H "Authorization: Bearer $RUNNER_TOKEN" \

+  -H "Content-Type: application/json" \

+  -d '{"labels":["self-hosted","linux","ubuntu-latest"],"capacity":1}' \

+  | tee /tmp/shithub-claim.json

+```

+

+Extract the job token and id:

+

+```sh

+export JOB_ID="$(jq -r '.job.id' /tmp/shithub-claim.json)"

+export JOB_TOKEN="$(jq -r '.token' /tmp/shithub-claim.json)"

+```

+

+Append a log chunk:

+

+```sh

+curl -fsS "$BASE/api/v1/jobs/$JOB_ID/logs" \

+  -H "Authorization: Bearer $JOB_TOKEN" \

+  -H "Content-Type: application/json" \

+  -d "{\"seq\":0,\"chunk\":\"$(printf 'hello from curl\n' | base64)\"}" \

+  | tee /tmp/shithub-log.json

+

+export JOB_TOKEN="$(jq -r '.next_token' /tmp/shithub-log.json)"

+```

+

+Complete the job:

+

+```sh

+curl -fsS "$BASE/api/v1/jobs/$JOB_ID/status" \

+  -H "Authorization: Bearer $JOB_TOKEN" \

+  -H "Content-Type: application/json" \

+  -d '{"status":"completed","conclusion":"success"}'

+```

+

+Replay check: reusing the log token after the log call must fail with

+401 because its `jti` is already present in `runner_jwt_used`.

+

+```sh

+curl -i "$BASE/api/v1/jobs/$JOB_ID/status" \

+  -H "Authorization: Bearer $(jq -r '.next_token' /tmp/shithub-log.json)" \

+  -H "Content-Type: application/json" \

+  -d '{"status":"running"}'

+```

+

+Expected results:

+

+- `workflow_jobs.status = completed` and conclusion `success`.

+- The parent `workflow_runs` row rolls up to completed/success when all

+  jobs are terminal.

+- The PR Checks tab shows the matching check run as success.

+- `/metrics` includes runner registration, heartbeat, and JWT counters.

+	ActionsRunnerRegistrationsTotal = prometheus.NewCounter(

+		prometheus.CounterOpts{

+			Name: "shithub_actions_runner_registrations_total",

+			Help: "Total Actions runners registered through operator tooling.",

+		},

+	)

+	ActionsRunnerHeartbeatsTotal = prometheus.NewCounterVec(

+		prometheus.CounterOpts{

+			Name: "shithub_actions_runner_heartbeats_total",

+			Help: "Total runner heartbeats by result (claimed, no_job).",

+		},

+		[]string{"result"},

+	)

+	ActionsRunnerJWTTotal = prometheus.NewCounterVec(

+		prometheus.CounterOpts{

+			Name: "shithub_actions_runner_jwt_total",

+			Help: "Total runner job JWT outcomes by result (issued, rejected, replay).",

+		},

+		[]string{"result"},

+	)

+		ActionsRunnerRegistrationsTotal,

+		ActionsRunnerHeartbeatsTotal,

+		ActionsRunnerJWTTotal,

+	"github.com/tenseleyFlow/shithub/internal/infra/metrics"

+		metrics.ActionsRunnerHeartbeatsTotal.WithLabelValues("no_job").Inc()

+	metrics.ActionsRunnerHeartbeatsTotal.WithLabelValues("claimed").Inc()

+	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Inc()

+		metrics.ActionsRunnerJWTTotal.WithLabelValues("rejected").Inc()

+		metrics.ActionsRunnerJWTTotal.WithLabelValues("rejected").Inc()

+			metrics.ActionsRunnerJWTTotal.WithLabelValues("replay").Inc()

+			metrics.ActionsRunnerJWTTotal.WithLabelValues("rejected").Inc()

+	metrics.ActionsRunnerJWTTotal.WithLabelValues("issued").Inc()