tenseleyflow/shithub / 6931e9a

+	"github.com/tenseleyFlow/shithub/internal/version"

+		hostName, err := os.Hostname()

+		if err != nil {

+			hostName = ""

+		}

+			HostName:     hostName,

+			Version:      version.String(),

+	HostName string   `json:"host_name,omitempty"`

+	Version  string   `json:"version,omitempty"`

+		if req.Capacity != 2 || strings.Join(req.Labels, ",") != "self-hosted,linux" ||

+			req.HostName != "runner-host" || req.Version != "dev-test" {

+	claim, err := client.Heartbeat(t.Context(), HeartbeatRequest{

+		Labels:   []string{"self-hosted", "linux"},

+		Capacity: 2,

+		HostName: "runner-host",

+		Version:  "dev-test",

+	})

+	HostName           string

+	Version            string

+	hostName           string

+	version            string

+		hostName:           opts.HostName,

+		version:            opts.Version,

+	claim, err := r.api.Heartbeat(ctx, api.HeartbeatRequest{

+		Labels:   r.labels,

+		Capacity: r.capacity,

+		HostName: r.hostName,

+		Version:  r.version,

+	})

+	heartbeats   []api.HeartbeatRequest

+func (f *fakeAPI) Heartbeat(_ context.Context, req api.HeartbeatRequest) (*api.Claim, error) {

+	f.heartbeats = append(f.heartbeats, req)

+	fapi := &fakeAPI{}

+	r := New(Options{

+		API:        fapi,

+		Engine:     &fakeEngine{},

+		Workspaces: &fakeWorkspaces{},

+		Labels:     []string{"self-hosted", "linux"},

+		Capacity:   2,

+		HostName:   "runner-host",

+		Version:    "dev-test",

+	})

+	if len(fapi.heartbeats) != 1 {

+		t.Fatalf("heartbeats: %#v", fapi.heartbeats)

+	}

+	got := fapi.heartbeats[0]

+	if got.Capacity != 2 || got.HostName != "runner-host" || got.Version != "dev-test" ||

+		len(got.Labels) != 2 || got.Labels[0] != "self-hosted" || got.Labels[1] != "linux" {

+		t.Fatalf("heartbeat: %#v", got)

+	}

+	"unicode/utf8"

+	HostName string   `json:"host_name"`

+	Version  string   `json:"version"`

+const runnerMetadataMaxBytes = 255

+

+var errRunnerRevoked = errors.New("runner is revoked")

+

+	hostName := cleanRunnerMetadata(body.HostName)

+	if hostName == "" {

+		hostName = runner.HostName

+	}

+	version := cleanRunnerMetadata(body.Version)

+	if version == "" {

+		version = runner.Version

+	}

+	job, steps, resolvedSecrets, claimed, err := h.claimRunnerJob(r.Context(), runner.ID, labels, int32(capacity), hostName, version)

+		if errors.Is(err, errRunnerRevoked) {

+			metrics.ActionsRunnerHeartbeatsTotal.WithLabelValues("rejected").Inc()

+			writeAPIError(w, http.StatusUnauthorized, "runner revoked")

+			return

+		}

+func cleanRunnerMetadata(value string) string {

+	value = strings.TrimSpace(value)

+	if len(value) <= runnerMetadataMaxBytes {

+		return value

+	}

+	var b strings.Builder

+	for _, r := range value {

+		runeLen := utf8.RuneLen(r)

+		if runeLen < 0 || b.Len()+runeLen > runnerMetadataMaxBytes {

+			break

+		}

+		b.WriteRune(r)

+	}

+	return strings.TrimSpace(b.String())

+}

+

+	hostName string,

+	version string,

+	lockedRunner, err := q.LockRunnerByID(ctx, tx, runnerID)

+	if err != nil {

+	if lockedRunner.RevokedAt.Valid {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, errRunnerRevoked

+	}

+	heartbeat := func(status actionsdb.WorkflowRunnerStatus) error {

+		_, err := q.HeartbeatRunner(ctx, tx, actionsdb.HeartbeatRunnerParams{

+			Status:   status,

+			HostName: hostName,

+			Version:  version,

+		})

+		return err

+	}

+	if lockedRunner.DrainingAt.Valid {

+		status := actionsdb.WorkflowRunnerStatusIdle

+		if running > 0 {

+			status = actionsdb.WorkflowRunnerStatusBusy

+		}

+		if err := heartbeat(status); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err

+		}

+		if err := tx.Commit(ctx); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, err

+		}

+		committed = true

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, nil, false, nil

+	}

+	if running >= capacity {

+		if err := heartbeat(actionsdb.WorkflowRunnerStatusBusy); err != nil {

+		if err := heartbeat(actionsdb.WorkflowRunnerStatusIdle); err != nil {

+	if err := heartbeat(status); err != nil {

+	var claimLatencySeconds float64

+	observeClaimLatency := false

+	if job.CreatedAt.Valid {

+		if latency := time.Since(job.CreatedAt.Time); latency >= 0 {

+			claimLatencySeconds = latency.Seconds()

+			observeClaimLatency = true

+		}

+	}

+	if observeClaimLatency {

+		metrics.ActionsJobClaimLatencySeconds.Observe(claimLatencySeconds)

+	}

+	q := actionsdb.New()

+	runner, err := q.GetRunnerByID(r.Context(), h.d.Pool, runnerID)

+	if err != nil || runner.RevokedAt.Valid {

+		metrics.ActionsRunnerJWTTotal.WithLabelValues("rejected").Inc()

+		writeAPIError(w, http.StatusUnauthorized, "job token invalid")

+		return runnerJobAuth{}, false

+	}

+	job, err := q.GetWorkflowJobByID(r.Context(), h.d.Pool, pathJobID)

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1,"host_name":"runner-host","version":"dev-test"}`))

+	runnerRow, err := actionsdb.New().GetRunnerByID(ctx, pool, runnerID)

+	if err != nil {

+		t.Fatalf("GetRunnerByID: %v", err)

+	}

+	if runnerRow.HostName != "runner-host" || runnerRow.Version != "dev-test" {

+		t.Fatalf("runner metadata: host=%q version=%q", runnerRow.HostName, runnerRow.Version)

+	}

+func TestRunnerHeartbeatDoesNotClaimWhenDraining(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	runID := enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+	token, runnerID := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	q := actionsdb.New()

+	if _, err := q.SetRunnerDraining(ctx, pool, actionsdb.SetRunnerDrainingParams{

+		ID:          runnerID,

+		DrainReason: "maintenance",

+	}); err != nil {

+		t.Fatalf("SetRunnerDraining: %v", err)

+	}

+	router := newRunnerAPIRouter(t, pool, logger, runnerAPISigner(t, time.Now()))

+

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1,"host_name":"draining-host","version":"dev-test"}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+

+	if rr.Code != http.StatusNoContent {

+		t.Fatalf("status: got %d, want 204; body=%s", rr.Code, rr.Body.String())

+	}

+	jobs, err := q.ListJobsForRun(ctx, pool, runID)

+	if err != nil {

+		t.Fatalf("ListJobsForRun: %v", err)

+	}

+	if len(jobs) != 1 || jobs[0].Status != actionsdb.WorkflowJobStatusQueued {

+		t.Fatalf("job was claimed while runner drained: %#v", jobs)

+	}

+	job, err := q.GetWorkflowJobByID(ctx, pool, jobs[0].ID)

+	if err != nil {

+		t.Fatalf("GetWorkflowJobByID: %v", err)

+	}

+	if job.RunnerID.Valid {

+		t.Fatalf("job was assigned to runner while drained: %+v", job)

+	}

+	runnerRow, err := q.GetRunnerByID(ctx, pool, runnerID)

+	if err != nil {

+		t.Fatalf("GetRunnerByID: %v", err)

+	}

+	if !runnerRow.DrainingAt.Valid || runnerRow.HostName != "draining-host" {

+		t.Fatalf("runner drain/metadata not preserved: %+v", runnerRow)

+	}

+}

+

+func TestRunnerJobTokenRejectedAfterRunnerRevoked(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+	token, runnerID := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	router := newRunnerAPIRouter(t, pool, logger, runnerAPISigner(t, time.Now()))

+

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("claim status: got %d, want 200; body=%s", rr.Code, rr.Body.String())

+	}

+	var claim struct {

+		Token string `json:"token"`

+		Job   struct {

+			ID int64 `json:"id"`

+		} `json:"job"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &claim); err != nil {

+		t.Fatalf("decode claim: %v", err)

+	}

+	q := actionsdb.New()

+	if _, err := q.RevokeRunner(ctx, pool, actionsdb.RevokeRunnerParams{

+		ID:            runnerID,

+		RevokedReason: "compromised",

+	}); err != nil {

+		t.Fatalf("RevokeRunner: %v", err)

+	}

+	if err := q.RevokeAllTokensForRunner(ctx, pool, runnerID); err != nil {

+		t.Fatalf("RevokeAllTokensForRunner: %v", err)

+	}

+

+	statusReq := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/v1/jobs/%d/status", claim.Job.ID),

+		strings.NewReader(`{"status":"running"}`))

+	statusReq.Header.Set("Authorization", "Bearer "+claim.Token)

+	statusRR := httptest.NewRecorder()

+	router.ServeHTTP(statusRR, statusReq)

+	if statusRR.Code != http.StatusUnauthorized {

+		t.Fatalf("status: got %d, want 401; body=%s", statusRR.Code, statusRR.Body.String())

+	}

+}

+