tenseleyflow/shithub / 9994c68

+For shared-pool public runner rollout, see

+[`actions-public-runners.md`](./actions-public-runners.md). S41h covers whether

+shithub can dogfood its own CI; S41j covers whether normal repositories can use

+the production runner pool safely.

+

+# Shared Actions Runner Readiness

+

+This document is the S41j-6 readiness packet for letting normal repositories

+use the shithub.sh shared Actions pool. S41j is the safety and operations track.

+S41k is the Actions UI parity track; S41k improves the product surface but is

+not a blocker for controlled arbitrary-repo execution.

+

+## Current Decision

+

+Status: **controlled dogfood, not broad public GA**.

+

+The platform can run ordinary repositories that meet the Actions policy, runner

+label, and syntax constraints. Broad public shared-runner enablement should wait

+until this checklist has a deployed/manual pass and no open Critical or High

+findings.

+

+## Eligibility Contract

+

+A repository may use the shared pool when all of these are true:

+

+1. Site Actions policy allows runner dispatch. The site switch is a hard kill

+   switch and overrides repo/org policy.

+2. The repo or its owner org has Actions enabled, or inherits an enabled site

+   policy.

+3. The workflow lives under `.shithub/workflows/*.yml` and parses under the

+   supported v1 subset.

+4. The triggering actor can run Actions on that repo. Untrusted pull requests

+   queue in an approval-required state before runner dispatch.

+5. The job's `runs-on` labels match an online runner, normally

+   `ubuntu-latest` for the first shared Linux pool.

+6. Repo queued-run, repo concurrency, owner concurrency, and actor hourly caps

+   permit the run.

+7. The repo is not archived or deleted.

+

+For public shithub.sh rollout, operators should keep site caps conservative and

+raise them only after real queue/claim/host-cost data exists.

+

+## Billing And Entitlements

+

+Billing is present, but Actions minute metering is not enforcement-ready yet.

+The current entitlement boundary includes:

+

+- `org.actions_minutes_quota`

+- `LimitOrgActionsMinutesQuota`

+

+`LimitOrgActionsMinutesQuota` intentionally reports no concrete number until

+usage accounting lands. Do not gate public shared-runner execution by scattered

+plan checks. When billing gates arrive, they must go through

+`internal/entitlements` and keep authorization separate from entitlement

+denials.

+

+Recommended rollout posture:

+

+- personal/public dogfood repos: allowed only under site policy and conservative

+  caps;

+- organization-level Actions secrets/variables: already Team-gated;

+- paid shared-runner minutes: defer until metering can record usage and enforce

+  limits consistently;

+- unpaid or past-due orgs: keep paid-only Actions configuration read-only, but

+  do not delete secrets, variables, or prior run history.

+

+## S41j-6 Findings

+

+| ID | Severity | Status | Finding | Resolution |

+| --- | --- | --- | --- | --- |

+| S41J6-H1 | High | Fixed in S41j-6 | Site Actions disable was not a hard kill switch; explicit repo/org enablement could still evaluate true and queued jobs could be claimed. | Effective policy and runner claim SQL now return false whenever `actions_site_policy.actions_enabled=false`. Tests cover enqueue-time policy and claim-time dispatch. |

+| S41J6-M1 | Medium | Open with compensating control | Actions minutes billing has an entitlement key but no usage accounting or numeric limits. | Do not market or sell metered Actions minutes yet. Use site/org/repo policy caps and runner capacity as the public-runner control until billing SP08 defines usage accounting. |

+| S41J6-M2 | Medium | Manual validation pending | The S41j-5 arbitrary-repo smoke must run on production after deploy. | Run the scratch plus second-repo checklist in `runbooks/actions-runner.md` before declaring broad availability. |

+

+No Critical findings are open in this packet.

+

+## Required Evidence Before Broad Enablement

+

+- `scripts/audit-actions-public-runners.sh` passes on the deployed commit.

+- Focused Go tests pass for site kill switch, repo/owner concurrency caps,

+  unsupported label diagnostics, token gates, and untrusted PR secret behavior.

+- Live smoke passes on `mfwolffe/scratch`.

+- Live smoke passes on at least one additional normal public repository with

+  `runs-on: ubuntu-latest`.

+- Unsupported-label workflow shows a queued diagnostic with zero matching

+  runners.

+- Untrusted pull request run receives no secrets or mask values before approval.

+- Drained and revoked runners do not claim or complete new work.

+- A job-container network bypass attempt cannot reach direct IP destinations or

+  the DigitalOcean metadata service unless explicitly allowlisted.

+

+## Operator Controls

+

+Emergency stop:

+

+```sql

+UPDATE actions_site_policy

+   SET actions_enabled = false,

+       updated_at = now()

+ WHERE id = true;

+```

+

+After this change, newly matched workflows should be skipped by policy and

+already queued jobs should not be claimed by runners. Keep this SQL in the

+incident runbook until a site-admin UI exists.

+

+Capacity limits:

+

+- `max_repo_queued_runs` bounds backlog.

+- `max_repo_concurrent_jobs` bounds active jobs for one repository.

+- `max_owner_concurrent_jobs` bounds active jobs across one user or org owner.

+- `actor_trigger_limit_per_hour` bounds trigger spam by a single actor.

+

+These are policy controls, not billing meters. They protect the shared pool

+while Actions minute accounting is still future work.

+

+## Relationship To S41k

+

+S41k should follow S41j because it is UI parity:

+

+- Actions sidebar and management placeholders;

+- workflow-specific run pages;

+- run graph canvas;

+- log viewer and annotations;

+- caches, runners, and metrics pages.

+

+None of those replace S41j's security gates. S41k can make unsupported labels,

+queue state, runner health, and usage easier to see, but it should not be the

+first line of defense for arbitrary code execution.

+The site-level disable path is a hard kill switch and overrides repo/org

+Actions policy. Until a site-admin UI exists, use:

+

+```sql

+UPDATE actions_site_policy

+   SET actions_enabled = false,

+       updated_at = now()

+ WHERE id = true;

+```

+

+The public shared-runner rollout criteria live in

+[`actions-public-runners.md`](../actions-public-runners.md).

+

+#!/usr/bin/env bash

+# SPDX-License-Identifier: AGPL-3.0-or-later

+

+set -eu

+

+ROOT="$(git rev-parse --show-toplevel)"

+cd "$ROOT"

+

+fail() {

+  printf 'audit-actions-public-runners: %s\n' "$*" >&2

+  exit 1

+}

+

+ok() {

+  printf 'ok: %s\n' "$*"

+}

+

+require_file() {

+  [ -f "$1" ] || fail "missing required file: $1"

+  ok "found $1"

+}

+

+require_grep() {

+  pattern="$1"

+  file="$2"

+  desc="$3"

+  rg -q -- "$pattern" "$file" || fail "$desc not found in $file"

+  ok "$desc"

+}

+

+require_file "docs/internal/actions-public-runners.md"

+require_file "docs/internal/runbooks/actions-runner.md"

+require_file "docs/internal/runbooks/runner-deploy.md"

+require_file "deploy/doctl/provision-actions-runner-pool.sh"

+require_file "deploy/doctl/generate-actions-runner-inventory.sh"

+require_file "deploy/runner-config/firewall.sh.j2"

+require_file "deploy/runner-config/dnsmasq.conf.j2"

+require_file "deploy/runner-config/seccomp.json"

+

+require_grep 'WHEN COALESCE\(sp\.actions_enabled, true\) = false THEN false' \

+  "internal/actions/queries/actions_policy.sql" \

+  "site kill switch in effective policy"

+require_grep 'WHEN COALESCE\(sp\.actions_enabled, true\) = false THEN false' \

+  "internal/actions/queries/workflow_jobs.sql" \

+  "site kill switch in runner claim"

+require_grep 'TestEvaluateTrigger_SiteDisableOverridesRepoEnable' \

+  "internal/actions/policy/policy_test.go" \

+  "enqueue-time site kill switch test"

+require_grep 'TestRunnerHeartbeatSiteDisableOverridesRepoEnable' \

+  "internal/web/handlers/api/runners_test.go" \

+  "claim-time site kill switch test"

+require_grep 'TestRunnerHeartbeatRespectsRepoConcurrencyCap' \

+  "internal/web/handlers/api/runners_test.go" \

+  "repo concurrency claim test"

+require_grep 'TestRunnerHeartbeatRespectsOwnerConcurrencyCap' \

+  "internal/web/handlers/api/runners_test.go" \

+  "owner concurrency claim test"

+

+require_grep '--cap-drop=ALL' "internal/runner/engine/docker.go" "cap drop in Docker engine"

+require_grep '--read-only' "internal/runner/engine/docker.go" "read-only rootfs in Docker engine"

+require_grep '--security-opt=no-new-privileges' "internal/runner/engine/docker.go" "no-new-privileges in Docker engine"

+require_grep 'seccomp=' "internal/runner/engine/docker.go" "seccomp profile in Docker engine"

+require_grep '--user' "internal/runner/engine/docker.go" "non-root container user in Docker engine"

+require_grep 'rejects direct-IP' "docs/internal/runbooks/runner-deploy.md" "direct-IP egress runbook note"

+require_grep '-j REJECT' "deploy/runner-config/firewall.sh.j2" "runner firewall default reject"

+require_grep 'Do not put runner tokens' "deploy/doctl/actions-runner-cloud-init.yaml" "no-secret cloud-init warning"

+

+require_grep 'FeatureOrgActionsMinutesQuota' "internal/entitlements/entitlements.go" "actions minutes entitlement key"

+require_grep 'LimitOrgActionsMinutesQuota' "internal/entitlements/entitlements.go" "actions minutes limit key"

+require_grep 'no concrete number until' "docs/internal/actions-public-runners.md" "billing-metering caveat"

+require_grep 'controlled dogfood, not broad public GA' "docs/internal/actions-public-runners.md" "public runner rollout status"

+

+ok "S41j-6 public runner readiness static audit complete"