tenseleyflow/shithub / 561824f

+	"fmt"

+	"path/filepath"

+	cfg config.Config,

+	if cfg.Storage.ReposRoot == "" {

+		return nil, errors.New("api: cfg.Storage.ReposRoot is empty")

+	}

+	root, err := filepath.Abs(cfg.Storage.ReposRoot)

+	if err != nil {

+		return nil, fmt.Errorf("api: resolve repos_root: %w", err)

+	}

+	rfs, err := storage.NewRepoFS(root)

+	if err != nil {

+		return nil, fmt.Errorf("api: NewRepoFS: %w", err)

+	}

+		RepoFS:      rfs,

+		r.Post("/api/v1/runs/{id}/rerun", h.workflowRunRerun)

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package api

+

+import (

+	"errors"

+	"net/http"

+	"strconv"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5"

+

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+func (h *Handlers) workflowRunRerun(w http.ResponseWriter, r *http.Request) {

+	auth := middleware.PATAuthFromContext(r.Context())

+	if auth.UserID == 0 {

+		writeAPIError(w, http.StatusUnauthorized, "unauthenticated")

+		return

+	}

+	runID, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)

+	if err != nil || runID <= 0 {

+		writeAPIError(w, http.StatusNotFound, "run not found")

+		return

+	}

+	run, repo, ok := h.resolveLifecycleRun(w, r, auth.UserID, runID)

+	if !ok {

+		return

+	}

+	result, err := actionslifecycle.RerunRun(r.Context(), actionslifecycle.Deps{

+		Pool:   h.d.Pool,

+		RepoFS: h.d.RepoFS,

+		Logger: h.d.Logger,

+	}, run.ID, auth.UserID)

+	if err != nil {

+		h.writeRerunError(w, r, run.ID, err)

+		return

+	}

+	writeJSON(w, http.StatusCreated, map[string]any{

+		"run_id":        result.RunID,

+		"run_index":     result.RunIndex,

+		"parent_run_id": result.ParentRunID,

+		"repo_id":       repo.ID,

+		"workflow_file": run.WorkflowFile,

+		"head_sha":      run.HeadSha,

+	})

+}

+

+func (h *Handlers) resolveLifecycleRun(

+	w http.ResponseWriter,

+	r *http.Request,

+	userID int64,

+	runID int64,

+) (actionsdb.WorkflowRun, reposdb.Repo, bool) {

+	q := actionsdb.New()

+	run, err := q.GetWorkflowRunByID(r.Context(), h.d.Pool, runID)

+	if err != nil {

+		writeAPIError(w, http.StatusNotFound, "run not found")

+		return actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	repo, err := reposdb.New().GetRepoByID(r.Context(), h.d.Pool, run.RepoID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			writeAPIError(w, http.StatusNotFound, "run not found")

+		} else {

+			writeAPIError(w, http.StatusInternalServerError, "repo lookup failed")

+		}

+		return actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	actor := policy.UserActor(userID, "", false, false)

+	if !policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoWrite, policy.NewRepoRefFromRepo(repo)).Allow {

+		writeAPIError(w, http.StatusNotFound, "run not found")

+		return actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	return run, repo, true

+}

+

+func (h *Handlers) writeRerunError(w http.ResponseWriter, r *http.Request, runID int64, err error) {

+	switch {

+	case errors.Is(err, actionslifecycle.ErrRunNotRerunnable):

+		writeAPIError(w, http.StatusConflict, "run is not rerunnable")

+	case errors.Is(err, actionslifecycle.ErrWorkflowSourceUnavailable):

+		writeAPIError(w, http.StatusConflict, "workflow source unavailable")

+	case errors.Is(err, actionslifecycle.ErrWorkflowSourceInvalid):

+		writeAPIError(w, http.StatusUnprocessableEntity, "workflow source invalid")

+	default:

+		h.d.Logger.WarnContext(r.Context(), "api actions rerun", "run_id", runID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "rerun failed")

+	}

+}

+	RepoFS      *storage.RepoFS

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+func TestWorkflowRunRerunAPIQueuesOriginalCommitWorkflow(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	rfs, err := storage.NewRepoFS(t.TempDir())

+	if err != nil {

+		t.Fatalf("NewRepoFS: %v", err)

+	}

+	gitDir, err := rfs.RepoPath("alice", "demo")

+	if err != nil {

+		t.Fatalf("RepoPath: %v", err)

+	}

+	if err := rfs.InitBare(ctx, gitDir); err != nil {

+		t.Fatalf("InitBare: %v", err)

+	}

+	oldSHA := commitRunnerAPIWorkflow(t, gitDir, runnerAPIOldWorkflow, time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC))

+	wf := parseRunnerAPIWorkflow(t, runnerAPIOldWorkflow)

+	original, err := trigger.Enqueue(ctx, trigger.Deps{Pool: pool, Logger: logger}, trigger.EnqueueParams{

+		RepoID:         repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        oldSHA,

+		HeadRef:        "refs/heads/trunk",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/trunk"},

+		ActorUserID:    userID,

+		TriggerEventID: "push:api-rerun",

+		Workflow:       wf,

+	})

+	if err != nil {

+		t.Fatalf("trigger.Enqueue original: %v", err)

+	}

+	if _, err := actionsdb.New().CompleteWorkflowRun(ctx, pool, actionsdb.CompleteWorkflowRunParams{

+		ID:         original.RunID,

+		Conclusion: actionsdb.CheckConclusionFailure,

+	}); err != nil {

+		t.Fatalf("CompleteWorkflowRun: %v", err)

+	}

+	_ = commitRunnerAPIWorkflow(t, gitDir, runnerAPINewWorkflow, time.Date(2026, 5, 11, 12, 5, 0, 0, time.UTC))

+

+	rawPAT := mintRunnerAPIPAT(t, pool, userID, string(pat.ScopeRepoWrite))

+	router := newRunnerAPIRouterWithRepoFS(t, pool, logger, runnerAPISigner(t, time.Now()), rfs)

+	req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/v1/runs/%d/rerun", original.RunID), nil)

+	req.Header.Set("Authorization", "Bearer "+rawPAT)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusCreated {

+		t.Fatalf("rerun status: got %d, want 201; body=%s", rr.Code, rr.Body.String())

+	}

+	var body struct {

+		RunID       int64 `json:"run_id"`

+		RunIndex    int64 `json:"run_index"`

+		ParentRunID int64 `json:"parent_run_id"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &body); err != nil {

+		t.Fatalf("decode response: %v", err)

+	}

+	if body.RunID == 0 || body.RunID == original.RunID || body.ParentRunID != original.RunID {

+		t.Fatalf("response: %+v original=%+v", body, original)

+	}

+	rerun, err := actionsdb.New().GetWorkflowRunByID(ctx, pool, body.RunID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID rerun: %v", err)

+	}

+	if rerun.HeadSha != oldSHA || !rerun.ParentRunID.Valid || rerun.ParentRunID.Int64 != original.RunID {

+		t.Fatalf("rerun row: %+v oldSHA=%s", rerun, oldSHA)

+	}

+	jobs, err := actionsdb.New().ListJobsForRun(ctx, pool, body.RunID)

+	if err != nil {

+		t.Fatalf("ListJobsForRun: %v", err)

+	}

+	if len(jobs) != 1 || jobs[0].JobKey != "old_job" {

+		t.Fatalf("rerun jobs came from wrong workflow: %+v", jobs)

+	}

+}

+

+func newRunnerAPIRouterWithRepoFS(

+	t *testing.T,

+	pool *pgxpool.Pool,

+	logger *slog.Logger,

+	signer *runnerjwt.Signer,

+	rfs *storage.RepoFS,

+) http.Handler {

+	t.Helper()

+	h, err := apih.New(apih.Deps{

+		Pool:      pool,

+		Logger:    logger,

+		RunnerJWT: signer,

+		RepoFS:    rfs,

+	})

+	if err != nil {

+		t.Fatalf("api.New: %v", err)

+	}

+	r := chi.NewRouter()

+	h.Mount(r)

+	return r

+}

+

+const runnerAPIOldWorkflow = `name: CI

+on: push

+jobs:

+  old_job:

+    name: Old job

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo old

+`

+

+const runnerAPINewWorkflow = `name: CI

+on: push

+jobs:

+  new_job:

+    name: New job

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo new

+`

+

+func commitRunnerAPIWorkflow(t *testing.T, gitDir, body string, when time.Time) string {

+	t.Helper()

+	commit, err := (repogit.InitialCommit{

+		GitDir:      gitDir,

+		AuthorName:  "Alice",

+		AuthorEmail: "alice@example.test",

+		Branch:      "trunk",

+		Message:     "Update workflow",

+		When:        when,

+		Files: []repogit.FileEntry{

+			{Path: ".shithub/workflows/ci.yml", Body: []byte(body)},

+		},

+	}).Build(context.Background())

+	if err != nil {

+		t.Fatalf("InitialCommit.Build: %v", err)

+	}

+	return commit

+}

+

+func parseRunnerAPIWorkflow(t *testing.T, body string) *workflow.Workflow {

+	t.Helper()

+	wf, diags, err := workflow.Parse([]byte(body))

+	if err != nil {

+		t.Fatalf("workflow.Parse: %v", err)

+	}

+	for _, d := range diags {

+		if d.Severity == workflow.Error {

+			t.Fatalf("workflow diagnostic: %v", d)

+		}

+	}

+	return wf

+}

+

+	RerunHref      string

+	CanRerun       bool

+	ParentRunIndex int64

+	ParentRunHref  string

+	h.applyActionsLifecycleControls(r, row, &view)

+		RerunHref:      runPath + "/rerun",

+	if run.ParentRunID.Valid {

+		parent, err := q.GetWorkflowRunByID(ctx, h.d.Pool, run.ParentRunID.Int64)

+		if err == nil && parent.RepoID == repoID {

+			view.ParentRunIndex = parent.RunIndex

+			view.ParentRunHref = basePath + "/runs/" + strconv.FormatInt(parent.RunIndex, 10)

+		}

+	}

+func (h *Handlers) applyActionsLifecycleControls(r *http.Request, row reposdb.Repo, view *actionsRunDetailView) {

+	if view == nil {

+	if view.IsTerminal {

+		view.CanRerun = true

+		return

+	}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"errors"

+	"net/http"

+

+	"github.com/jackc/pgx/v5"

+

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+func (h *Handlers) repoActionRunRerun(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoWrite)

+	if !ok {

+		return

+	}

+	runIndex, ok := parsePositiveInt64Param(r, "runIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	run, err := actionsdb.New().GetWorkflowRunForRepoByIndex(r.Context(), h.d.Pool, actionsdb.GetWorkflowRunForRepoByIndexParams{

+		RepoID:   row.ID,

+		RunIndex: runIndex,

+	})

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		} else {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: lookup run for rerun", "repo_id", row.ID, "run_index", runIndex, "error", err)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		}

+		return

+	}

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	result, err := actionslifecycle.RerunRun(r.Context(), actionslifecycle.Deps{

+		Pool:   h.d.Pool,

+		RepoFS: h.d.RepoFS,

+		Logger: h.d.Logger,

+	}, run.ID, viewer.ID)

+	if err != nil {

+		h.writeRepoRerunError(w, r, run.ID, err)

+		return

+	}

+	http.Redirect(w, r, repoActionRunHref(owner.Username, row.Name, result.RunIndex), http.StatusSeeOther)

+}

+

+func (h *Handlers) writeRepoRerunError(w http.ResponseWriter, r *http.Request, runID int64, err error) {

+	switch {

+	case errors.Is(err, actionslifecycle.ErrRunNotRerunnable):

+		h.d.Render.HTTPError(w, r, http.StatusConflict, "run is not rerunnable")

+	case errors.Is(err, actionslifecycle.ErrWorkflowSourceUnavailable):

+		h.d.Render.HTTPError(w, r, http.StatusConflict, "workflow source unavailable")

+	case errors.Is(err, actionslifecycle.ErrWorkflowSourceInvalid):

+		h.d.Render.HTTPError(w, r, http.StatusUnprocessableEntity, "workflow source invalid")

+	default:

+		h.d.Logger.WarnContext(r.Context(), "repo actions: rerun", "run_id", runID, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+	}

+}

+func TestRepoActionRunRendersRerunControlsForWritersOnly(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	now := time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC)

+	f.insertWorkflowRun(t, workflowRunFixture{

+		RunIndex:      14,

+		WorkflowFile:  ".shithub/workflows/ci.yml",

+		WorkflowName:  "CI",

+		HeadRef:       "trunk",

+		Event:         actionsdb.WorkflowRunEventPush,

+		Status:        actionsdb.WorkflowRunStatusCompleted,

+		Conclusion:    actionsdb.CheckConclusionFailure,

+		ActorUserID:   f.owner.ID,

+		CreatedOffset: -20 * time.Minute,

+		StartedOffset: -19 * time.Minute,

+		DoneOffset:    -18 * time.Minute,

+	}, now)

+

+	resp := httptest.NewRecorder()

+	req := httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/14", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("owner status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	body := resp.Body.String()

+	if !strings.Contains(body, "RERUN=/alice/public-repo/actions/runs/14/rerun;") {

+		t.Fatalf("owner body missing rerun control: %s", body)

+	}

+	if strings.Contains(body, "CANCEL_RUN=") {

+		t.Fatalf("terminal run rendered cancel control: %s", body)

+	}

+

+	resp = httptest.NewRecorder()

+	req = httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/14", nil)

+	f.actionsMux(viewerFor(f.stranger)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("stranger status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if strings.Contains(resp.Body.String(), "RERUN=") {

+		t.Fatalf("rerun control leaked to non-writer: %s", resp.Body.String())

+	}

+}

+

+func TestRepoActionRunRerunQueuesOriginalCommitWorkflow(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	now := time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC)

+	oldSHA := f.seedWorkflowFile(t, "ci.yml", rerunOldWorkflow)

+	gitDir, err := f.handlers.d.RepoFS.RepoPath(f.owner.Username, f.publicRepo.Name)

+	if err != nil {

+		t.Fatalf("RepoPath: %v", err)

+	}

+	_, err = (repogit.InitialCommit{

+		GitDir:      gitDir,

+		AuthorName:  "Alice",

+		AuthorEmail: "alice@example.test",

+		Branch:      "trunk",

+		Message:     "Change workflow",

+		When:        now.Add(5 * time.Minute),

+		Files: []repogit.FileEntry{

+			{Path: ".shithub/workflows/ci.yml", Body: []byte(rerunNewWorkflow)},

+		},

+	}).Build(context.Background())

+	if err != nil {

+		t.Fatalf("InitialCommit.Build new workflow: %v", err)

+	}

+	sourceRunID := f.insertWorkflowRun(t, workflowRunFixture{

+		RunIndex:      15,

+		WorkflowFile:  ".shithub/workflows/ci.yml",

+		WorkflowName:  "CI",

+		HeadSHA:       oldSHA,

+		HeadRef:       "refs/heads/trunk",

+		Event:         actionsdb.WorkflowRunEventPush,

+		EventPayload:  `{"ref":"refs/heads/trunk"}`,

+		Status:        actionsdb.WorkflowRunStatusCompleted,

+		Conclusion:    actionsdb.CheckConclusionFailure,

+		ActorUserID:   f.owner.ID,

+		CreatedOffset: -20 * time.Minute,

+		StartedOffset: -19 * time.Minute,

+		DoneOffset:    -18 * time.Minute,

+	}, now)

+

+	resp := httptest.NewRecorder()

+	req := httptest.NewRequest(http.MethodPost, "/alice/public-repo/actions/runs/15/rerun", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusSeeOther {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if loc := resp.Header().Get("Location"); loc != "/alice/public-repo/actions/runs/16" {

+		t.Fatalf("Location=%q", loc)

+	}

+

+	rerun, err := actionsdb.New().GetWorkflowRunForRepoByIndex(context.Background(), f.pool, actionsdb.GetWorkflowRunForRepoByIndexParams{

+		RepoID:   f.publicRepo.ID,

+		RunIndex: 16,

+	})

+	if err != nil {

+		t.Fatalf("GetWorkflowRunForRepoByIndex rerun: %v", err)

+	}

+	if !rerun.ParentRunID.Valid || rerun.ParentRunID.Int64 != sourceRunID || rerun.HeadSha != oldSHA {

+		t.Fatalf("rerun row: %+v source=%d oldSHA=%s", rerun, sourceRunID, oldSHA)

+	}

+	jobs, err := actionsdb.New().ListJobsForRun(context.Background(), f.pool, rerun.ID)

+	if err != nil {

+		t.Fatalf("ListJobsForRun: %v", err)

+	}

+	if len(jobs) != 1 || jobs[0].JobKey != "old_job" {

+		t.Fatalf("rerun jobs came from wrong workflow: %+v", jobs)

+	}

+

+	resp = httptest.NewRecorder()

+	req = httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/16", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("rerun detail status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if !strings.Contains(resp.Body.String(), "PARENT=15:/alice/public-repo/actions/runs/15;") {

+		t.Fatalf("rerun detail missing parent link: %s", resp.Body.String())

+	}

+}

+

+	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/rerun", f.handlers.repoActionRunRerun)

+const rerunOldWorkflow = `name: CI

+on: push

+jobs:

+  old_job:

+    name: Old job

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo old

+`

+

+const rerunNewWorkflow = `name: CI

+on: push

+jobs:

+  new_job:

+    name: New job

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo new

+`

+

+	HeadSHA       string

+	EventPayload  string

+	headSHA := fx.HeadSHA

+	if headSHA == "" {

+		headSHA = strings.Repeat(strconvDigit(fx.RunIndex), 40)

+	}

+	eventPayload := fx.EventPayload

+	if eventPayload == "" {

+		eventPayload = "{}"

+	}

+			$5, $6, $7, $8::jsonb, $9,

+			$10, $11, $12, $13, $14, $15

+		headSHA,

+		eventPayload,

+	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/rerun", h.repoActionRunRerun)

+		"repo/action_run.html":         {Data: []byte(`{{ define "page" }}RUN={{ .Run.Title }}:#{{ .Run.RunIndex }}:{{ .Run.Event }}:{{ .Run.ActorUsername }}:{{ .Run.StateClass }};{{ if .Run.ParentRunHref }}PARENT={{ .Run.ParentRunIndex }}:{{ .Run.ParentRunHref }};{{ end }}{{ if .Run.CanRerun }}RERUN={{ .Run.RerunHref }};{{ end }}{{ if .Run.CanCancel }}CANCEL_RUN={{ .Run.CancelHref }};{{ end }}SUMMARY={{ .Run.JobCount }}:{{ .Run.CompletedCount }}:{{ .Run.FailureCount }}:{{ .Run.ArtifactCount }};{{ range .Run.Jobs }}JOB={{ .Name }}:{{ .StateClass }}:{{ .NeedsText }}:{{ .RunsOn }};{{ if .CanCancel }}CANCEL_JOB={{ .CancelHref }};{{ end }}{{ if .CancelRequested }}CANCEL_REQUESTED={{ .Name }};{{ end }}{{ range .Steps }}STEP={{ .Name }}:{{ .StateClass }}:{{ .LogHref }};{{ end }}{{ end }}{{ end }}`)},

+		api, err := buildAPIHandlers(cfg, pool, objectStore, runnerJWT, actionsBox, ratelimit.New(pool), logger)

+        {{ if .Run.ParentRunHref }} · re-run of <a href="{{ .Run.ParentRunHref }}">#{{ .Run.ParentRunIndex }}</a>{{ end }}

+      {{ if .Run.CanRerun }}

+        <form method="POST" action="{{ .Run.RerunHref }}" class="shithub-actions-inline-form">

+          <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+          <button type="submit" class="shithub-button">{{ octicon "history" }} Re-run jobs</button>

+        </form>

+      {{ end }}