tenseleyflow/shithub / a325a33

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package actionspolicy owns Actions-specific runtime policy: whether a

+// matched workflow may be queued, whether it must pause for approval, and the

+// abuse caps that keep a shared runner pool from being monopolized.

+package actionspolicy

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	authpolicy "github.com/tenseleyFlow/shithub/internal/auth/policy"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+var (

+	ErrActionsDisabled = errors.New("actions policy: actions disabled")

+	ErrRepoQueuedCap   = errors.New("actions policy: repo queued-run cap reached")

+	ErrActorRateLimit  = errors.New("actions policy: actor trigger rate limit reached")

+	ErrActorRequired   = errors.New("actions policy: actor required")

+	ErrActorNotFound   = errors.New("actions policy: actor not found")

+	ErrUnauthorized    = errors.New("actions policy: actor cannot run actions")

+)

+

+// Deps wires policy evaluation to storage and auth policy role lookups.

+type Deps struct {

+	Pool *pgxpool.Pool

+}

+

+// TriggerRequest describes one matched workflow about to become a run.

+type TriggerRequest struct {

+	Repo        reposdb.Repo

+	EventKind   string

+	ActorUserID int64

+	Now         time.Time

+}

+

+// TriggerDecision is the dispatch posture for one matched workflow.

+type TriggerDecision struct {

+	Allow          bool

+	NeedApproval   bool

+	ApprovalReason string

+	Reason         string

+	Policy         actionsdb.GetEffectiveActionsPolicyForRepoRow

+}

+

+// EvaluateTrigger applies site/org/repo Actions policy, auth policy, and

+// enqueue-time abuse caps. It never grants repository privileges itself:

+// push/dispatch/same-repo trusted PR execution flows through

+// internal/auth/policy.ActionActionsRun. Untrusted PRs can only be queued in

+// a paused approval-required state.

+func EvaluateTrigger(ctx context.Context, deps Deps, req TriggerRequest) (TriggerDecision, error) {

+	if deps.Pool == nil {

+		return TriggerDecision{}, errors.New("actions policy: nil Pool")

+	}

+	q := actionsdb.New()

+	pol, err := q.GetEffectiveActionsPolicyForRepo(ctx, deps.Pool, req.Repo.ID)

+	if err != nil {

+		return TriggerDecision{}, err

+	}

+	base := TriggerDecision{Policy: pol}

+	if !pol.ActionsEnabled {

+		base.Reason = "actions disabled by policy"

+		return base, ErrActionsDisabled

+	}

+	if req.Repo.DeletedAt.Valid {

+		base.Reason = "repo deleted"

+		return base, ErrUnauthorized

+	}

+	if req.Repo.IsArchived {

+		base.Reason = "repo archived"

+		return base, ErrUnauthorized

+	}

+	if err := checkEnqueueCaps(ctx, q, deps.Pool, req, pol); err != nil {

+		base.Reason = err.Error()

+		return base, err

+	}

+

+	if req.EventKind == "schedule" {

+		base.Allow = true

+		base.Reason = "schedule trigger"

+		return base, nil

+	}

+	if req.ActorUserID == 0 {

+		base.Reason = "actor required"

+		return base, ErrActorRequired

+	}

+	user, err := usersdb.New().GetUserByID(ctx, deps.Pool, req.ActorUserID)

+	if err != nil {

+		base.Reason = "actor not found"

+		return base, fmt.Errorf("%w: %w", ErrActorNotFound, err)

+	}

+	actor := authpolicy.UserActor(user.ID, user.Username, user.SuspendedAt.Valid, user.IsSiteAdmin)

+	authz := authpolicy.Can(ctx, authpolicy.Deps{Pool: deps.Pool}, actor, authpolicy.ActionActionsRun, authpolicy.NewRepoRefFromRepo(req.Repo))

+	if authz.Allow {

+		base.Allow = true

+		base.Reason = "actor can run actions"

+		return base, nil

+	}

+	if user.SuspendedAt.Valid {

+		base.Reason = "actor suspended"

+		return base, ErrUnauthorized

+	}

+	if req.EventKind == "pull_request" {

+		base.Allow = true

+		if pol.RequirePrApproval {

+			base.NeedApproval = true

+			base.ApprovalReason = "Pull request workflow requires maintainer approval before runner dispatch."

+			base.Reason = "pull request requires approval"

+		} else {

+			base.Reason = "pull request approval disabled by policy"

+		}

+		return base, nil

+	}

+	base.Reason = authz.Reason

+	return base, ErrUnauthorized

+}

+

+func checkEnqueueCaps(

+	ctx context.Context,

+	q *actionsdb.Queries,

+	db actionsdb.DBTX,

+	req TriggerRequest,

+	pol actionsdb.GetEffectiveActionsPolicyForRepoRow,

+) error {

+	queued, err := q.CountQueuedWorkflowRunsForRepo(ctx, db, req.Repo.ID)

+	if err != nil {

+		return err

+	}

+	if queued >= int64(pol.MaxRepoQueuedRuns) {

+		return ErrRepoQueuedCap

+	}

+	if req.ActorUserID == 0 {

+		return nil

+	}

+	now := req.Now

+	if now.IsZero() {

+		now = time.Now()

+	}

+	recent, err := q.CountRecentWorkflowRunsForActor(ctx, db, actionsdb.CountRecentWorkflowRunsForActorParams{

+		ActorUserID: pgtype.Int8{Int64: req.ActorUserID, Valid: true},

+		Since:       pgtype.Timestamptz{Time: now.Add(-time.Hour), Valid: true},

+	})

+	if err != nil {

+		return err

+	}

+	if recent >= int64(pol.ActorTriggerLimitPerHour) {

+		return ErrActorRateLimit

+	}

+	return nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package actionspolicy_test

+

+import (

+	"context"

+	"errors"

+	"strings"

+	"testing"

+

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	actionspolicy "github.com/tenseleyFlow/shithub/internal/actions/policy"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/actions/trigger"

+	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+const policyFixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+type policyFx struct {

+	ctx       context.Context

+	pool      *pgxpool.Pool

+	owner     usersdb.User

+	writeUser usersdb.User

+	readUser  usersdb.User

+	outsider  usersdb.User

+	suspended usersdb.User

+	siteAdmin usersdb.User

+	orgOwner  usersdb.User

+	repo      reposdb.Repo

+	orgRepo   reposdb.Repo

+}

+

+func setupPolicyFx(t *testing.T) policyFx {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+	ctx := context.Background()

+	uq := usersdb.New()

+	mkUser := func(name string) usersdb.User {

+		t.Helper()

+		u, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{

+			Username: name, DisplayName: name, PasswordHash: policyFixtureHash,

+		})

+		if err != nil {

+			t.Fatalf("CreateUser %s: %v", name, err)

+		}

+		return u

+	}

+	owner := mkUser("owner")

+	writeUser := mkUser("writer")

+	readUser := mkUser("reader")

+	outsider := mkUser("outsider")

+	suspended := mkUser("suspended")

+	siteAdmin := mkUser("siteadmin")

+	orgOwner := mkUser("orgowner")

+	if _, err := pool.Exec(ctx, `UPDATE users SET suspended_at = now() WHERE id = $1`, suspended.ID); err != nil {

+		t.Fatalf("suspend user: %v", err)

+	}

+	if _, err := pool.Exec(ctx, `UPDATE users SET is_site_admin = true WHERE id = $1`, siteAdmin.ID); err != nil {

+		t.Fatalf("site admin user: %v", err)

+	}

+	rq := reposdb.New()

+	repo, err := rq.CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: owner.ID, Valid: true},

+		Name:          "demo",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo: %v", err)

+	}

+	if _, err := pool.Exec(ctx, `INSERT INTO repo_collaborators (repo_id, user_id, role, added_by_user_id) VALUES ($1, $2, 'write', $3), ($1, $4, 'read', $3)`,

+		repo.ID, writeUser.ID, owner.ID, readUser.ID); err != nil {

+		t.Fatalf("insert collaborators: %v", err)

+	}

+	org, err := orgsdb.New().CreateOrg(ctx, pool, orgsdb.CreateOrgParams{

+		Slug:            "acme",

+		DisplayName:     "Acme",

+		CreatedByUserID: pgtype.Int8{Int64: orgOwner.ID, Valid: true},

+	})

+	if err != nil {

+		t.Fatalf("CreateOrg: %v", err)

+	}

+	if _, err := pool.Exec(ctx, `INSERT INTO org_members (org_id, user_id, role) VALUES ($1, $2, 'owner')`, org.ID, orgOwner.ID); err != nil {

+		t.Fatalf("insert org owner: %v", err)

+	}

+	orgRepo, err := rq.CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerOrgID:    pgtype.Int8{Int64: org.ID, Valid: true},

+		Name:          "org-demo",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo org: %v", err)

+	}

+	return policyFx{

+		ctx:       ctx,

+		pool:      pool,

+		owner:     owner,

+		writeUser: writeUser,

+		readUser:  readUser,

+		outsider:  outsider,

+		suspended: suspended,

+		siteAdmin: siteAdmin,

+		orgOwner:  orgOwner,

+		repo:      repo,

+		orgRepo:   orgRepo,

+	}

+}

+

+func TestEvaluateTrigger_TrustMatrix(t *testing.T) {

+	t.Parallel()

+	f := setupPolicyFx(t)

+	deps := actionspolicy.Deps{Pool: f.pool}

+	tests := []struct {

+		name         string

+		repo         reposdb.Repo

+		actorID      int64

+		event        trigger.EventKind

+		wantAllow    bool

+		wantApproval bool

+		wantErr      error

+	}{

+		{name: "owner push runs", repo: f.repo, actorID: f.owner.ID, event: trigger.EventPush, wantAllow: true},

+		{name: "write collaborator push runs", repo: f.repo, actorID: f.writeUser.ID, event: trigger.EventPush, wantAllow: true},

+		{name: "org owner push runs", repo: f.orgRepo, actorID: f.orgOwner.ID, event: trigger.EventPush, wantAllow: true},

+		{name: "read collaborator pr pauses for approval", repo: f.repo, actorID: f.readUser.ID, event: trigger.EventPullRequest, wantAllow: true, wantApproval: true},

+		{name: "outsider pr pauses for approval", repo: f.repo, actorID: f.outsider.ID, event: trigger.EventPullRequest, wantAllow: true, wantApproval: true},

+		{name: "outsider push denied", repo: f.repo, actorID: f.outsider.ID, event: trigger.EventPush, wantErr: actionspolicy.ErrUnauthorized},

+		{name: "suspended actor denied", repo: f.repo, actorID: f.suspended.ID, event: trigger.EventPush, wantErr: actionspolicy.ErrUnauthorized},

+		{name: "site admin write does not bypass repo role", repo: f.repo, actorID: f.siteAdmin.ID, event: trigger.EventPush, wantErr: actionspolicy.ErrUnauthorized},

+	}

+	for _, tt := range tests {

+		tt := tt

+		t.Run(tt.name, func(t *testing.T) {

+			dec, err := actionspolicy.EvaluateTrigger(f.ctx, deps, actionspolicy.TriggerRequest{

+				Repo:        tt.repo,

+				EventKind:   string(tt.event),

+				ActorUserID: tt.actorID,

+			})

+			if tt.wantErr != nil {

+				if !errors.Is(err, tt.wantErr) {

+					t.Fatalf("err=%v, want %v (decision=%+v)", err, tt.wantErr, dec)

+				}

+				return

+			}

+			if err != nil {

+				t.Fatalf("EvaluateTrigger: %v", err)

+			}

+			if dec.Allow != tt.wantAllow || dec.NeedApproval != tt.wantApproval {

+				t.Fatalf("decision=%+v, want allow=%t approval=%t", dec, tt.wantAllow, tt.wantApproval)

+			}

+		})

+	}

+}

+

+func TestEvaluateTrigger_PullRequestApprovalPolicyCanAllowImmediateRun(t *testing.T) {

+	t.Parallel()

+	f := setupPolicyFx(t)

+	if _, err := actionsdb.New().UpsertActionsRepoPolicy(f.ctx, f.pool, actionsdb.UpsertActionsRepoPolicyParams{

+		RepoID:            f.repo.ID,

+		ActionsEnabled:    actionsdb.ActionsPolicyStateInherit,

+		RequirePrApproval: pgtype.Bool{Bool: false, Valid: true},

+	}); err != nil {

+		t.Fatalf("UpsertActionsRepoPolicy: %v", err)

+	}

+

+	dec, err := actionspolicy.EvaluateTrigger(f.ctx, actionspolicy.Deps{Pool: f.pool}, actionspolicy.TriggerRequest{

+		Repo:        f.repo,

+		EventKind:   string(trigger.EventPullRequest),

+		ActorUserID: f.outsider.ID,

+	})

+	if err != nil {

+		t.Fatalf("EvaluateTrigger: %v", err)

+	}

+	if !dec.Allow || dec.NeedApproval {

+		t.Fatalf("decision=%+v, want immediate PR run", dec)

+	}

+}

+

+func TestEvaluateTrigger_DeniesArchivedAndDisabledRepos(t *testing.T) {

+	t.Parallel()

+	f := setupPolicyFx(t)

+	archived := f.repo

+	archived.IsArchived = true

+	if dec, err := actionspolicy.EvaluateTrigger(f.ctx, actionspolicy.Deps{Pool: f.pool}, actionspolicy.TriggerRequest{

+		Repo:        archived,

+		EventKind:   string(trigger.EventPush),

+		ActorUserID: f.owner.ID,

+	}); !errors.Is(err, actionspolicy.ErrUnauthorized) || dec.Allow {

+		t.Fatalf("archived decision=%+v err=%v", dec, err)

+	}

+

+	if _, err := actionsdb.New().UpsertActionsRepoPolicy(f.ctx, f.pool, actionsdb.UpsertActionsRepoPolicyParams{

+		RepoID:         f.repo.ID,

+		ActionsEnabled: actionsdb.ActionsPolicyStateDisabled,

+	}); err != nil {

+		t.Fatalf("UpsertActionsRepoPolicy: %v", err)

+	}

+	if dec, err := actionspolicy.EvaluateTrigger(f.ctx, actionspolicy.Deps{Pool: f.pool}, actionspolicy.TriggerRequest{

+		Repo:        f.repo,

+		EventKind:   string(trigger.EventPush),

+		ActorUserID: f.owner.ID,

+	}); !errors.Is(err, actionspolicy.ErrActionsDisabled) || dec.Allow {

+		t.Fatalf("disabled decision=%+v err=%v", dec, err)

+	}

+}

+

+func TestEvaluateTrigger_EnforcesQueueAndActorCaps(t *testing.T) {

+	t.Parallel()

+	f := setupPolicyFx(t)

+	q := actionsdb.New()

+	if _, err := q.UpsertActionsRepoPolicy(f.ctx, f.pool, actionsdb.UpsertActionsRepoPolicyParams{

+		RepoID:                   f.repo.ID,

+		ActionsEnabled:           actionsdb.ActionsPolicyStateInherit,

+		MaxRepoQueuedRuns:        pgtype.Int4{Int32: 1, Valid: true},

+		ActorTriggerLimitPerHour: pgtype.Int4{Int32: 1, Valid: true},

+	}); err != nil {

+		t.Fatalf("UpsertActionsRepoPolicy: %v", err)

+	}

+	if _, err := q.InsertWorkflowRun(f.ctx, f.pool, actionsdb.InsertWorkflowRunParams{

+		RepoID:       f.repo.ID,

+		RunIndex:     1,

+		WorkflowFile: ".shithub/workflows/ci.yml",

+		WorkflowName: "CI",

+		HeadSha:      strings.Repeat("a", 40),

+		HeadRef:      "refs/heads/trunk",

+		Event:        actionsdb.WorkflowRunEventPush,

+		EventPayload: []byte("{}"),

+		ActorUserID:  pgtype.Int8{Int64: f.owner.ID, Valid: true},

+		NeedApproval: false,

+	}); err != nil {

+		t.Fatalf("InsertWorkflowRun: %v", err)

+	}

+	dec, err := actionspolicy.EvaluateTrigger(f.ctx, actionspolicy.Deps{Pool: f.pool}, actionspolicy.TriggerRequest{

+		Repo:        f.repo,

+		EventKind:   string(trigger.EventPush),

+		ActorUserID: f.owner.ID,

+	})

+	if !errors.Is(err, actionspolicy.ErrRepoQueuedCap) || dec.Allow {

+		t.Fatalf("queue cap decision=%+v err=%v", dec, err)

+	}

+	if _, err := f.pool.Exec(f.ctx, `

+		UPDATE workflow_runs

+		   SET status = 'completed',

+		       conclusion = 'success',

+		       started_at = now(),

+		       completed_at = now()

+		 WHERE repo_id = $1`,

+		f.repo.ID); err != nil {

+		t.Fatalf("complete queued run: %v", err)

+	}

+	dec, err = actionspolicy.EvaluateTrigger(f.ctx, actionspolicy.Deps{Pool: f.pool}, actionspolicy.TriggerRequest{

+		Repo:        f.repo,

+		EventKind:   string(trigger.EventPush),

+		ActorUserID: f.owner.ID,

+	})

+	if !errors.Is(err, actionspolicy.ErrActorRateLimit) || dec.Allow {

+		t.Fatalf("actor cap decision=%+v err=%v", dec, err)

+	}

+}

+

+	// NeedApproval pauses runner dispatch until a maintainer approves the

+	// run. The row still becomes visible in the Actions UI and check list.

+	NeedApproval bool

+

+	// ApprovalReason is stored with the approval request. It must stay

+	// structural; never include event payloads, env, logs, or secrets.

+	ApprovalReason string

+		NeedApproval:     p.NeedApproval,

+	if p.NeedApproval {

+		if _, err := q.InsertWorkflowRunApproval(ctx, tx, actionsdb.InsertWorkflowRunApprovalParams{

+			RunID:           run.ID,

+			RequestedReason: p.ApprovalReason,

+		}); err != nil {

+			return Result{}, fmt.Errorf("trigger: insert approval request: %w", err)

+		}

+	}

+	actionspolicy "github.com/tenseleyFlow/shithub/internal/actions/policy"

+			decision, err := actionspolicy.EvaluateTrigger(ctx, actionspolicy.Deps{Pool: deps.Pool}, actionspolicy.TriggerRequest{

+				Repo:        repo,

+				EventKind:   string(p.EventKind),

+				ActorUserID: p.ActorUserID,

+				Now:         time.Now(),

+			})

+			if err != nil || !decision.Allow {

+				if isExpectedPolicySkip(err) || !decision.Allow {

+					deps.Logger.InfoContext(ctx, "trigger: workflow skipped by actions policy",

+						"repo_id", p.RepoID, "path", f.Path, "event", p.EventKind, "reason", decision.Reason, "error", err)

+					continue

+				}

+				return fmt.Errorf("trigger: evaluate actions policy: %w", err)

+			}

+				NeedApproval:   decision.NeedApproval,

+				ApprovalReason: decision.ApprovalReason,

+func isExpectedPolicySkip(err error) bool {

+	return errors.Is(err, actionspolicy.ErrActionsDisabled) ||

+		errors.Is(err, actionspolicy.ErrRepoQueuedCap) ||

+		errors.Is(err, actionspolicy.ErrActorRateLimit) ||

+		errors.Is(err, actionspolicy.ErrActorRequired) ||

+		errors.Is(err, actionspolicy.ErrActorNotFound) ||

+		errors.Is(err, actionspolicy.ErrUnauthorized)

+}

+

+

+	ActionActionsRun     Action = "actions:run"

+	ActionActionsApprove Action = "actions:approve"

+	ActionActionsRun, ActionActionsApprove,

+	case ActionRepoWrite, ActionActionsRun, ActionPullCreate, ActionPullReview, ActionPullClose:

+	case ActionRepoSettingsGeneral, ActionRepoSettingsBranches, ActionActionsApprove:

+	case policy.ActionRepoWrite, policy.ActionActionsRun, policy.ActionPullCreate, policy.ActionPullReview, policy.ActionPullClose:

+	case policy.ActionRepoSettingsGeneral, policy.ActionRepoSettingsBranches, policy.ActionActionsApprove:

+// Trust gate: the trigger handler evaluates the author through

+// internal/auth/policy and either queues the run as trusted or marks it

+// approval-required. This helper only supplies the canonical PR event.

+		RepoID:         repo.ID,

+	resolvedSecrets, err := h.resolveVisibleSecretsFromDB(ctx, tx, job.RepoID, job.Event)

+	return h.resolveVisibleSecretsFromDB(ctx, h.d.Pool, repoID, "")

+func (h *Handlers) resolveVisibleSecretsFromDB(ctx context.Context, db secretResolutionDB, repoID int64, event actionsdb.WorkflowRunEvent) (map[string]string, error) {

+	if event == actionsdb.WorkflowRunEventPullRequest {

+		return nil, nil

+	}

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+func TestRunnerHeartbeatDoesNotClaimApprovalPendingRun(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	runID := enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+	q := actionsdb.New()

+	if _, err := pool.Exec(ctx, `UPDATE workflow_runs SET need_approval = true WHERE id = $1`, runID); err != nil {

+		t.Fatalf("mark run approval pending: %v", err)

+	}

+	if _, err := q.InsertWorkflowRunApproval(ctx, pool, actionsdb.InsertWorkflowRunApprovalParams{

+		RunID:           runID,

+		RequestedReason: "test approval",

+	}); err != nil {

+		t.Fatalf("InsertWorkflowRunApproval: %v", err)

+	}

+

+	token, _ := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	router := newRunnerAPIRouter(t, pool, logger, runnerAPISigner(t, time.Now()))

+

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusNoContent {

+		t.Fatalf("pending heartbeat status: got %d, want 204; body=%s", rr.Code, rr.Body.String())

+	}

+	jobs, err := q.ListJobsForRun(ctx, pool, runID)

+	if err != nil {

+		t.Fatalf("ListJobsForRun: %v", err)

+	}

+	if len(jobs) != 1 || jobs[0].Status != actionsdb.WorkflowJobStatusQueued {

+		t.Fatalf("approval-pending job changed: %+v", jobs)

+	}

+

+	if _, err := actionslifecycle.ApproveRun(ctx, actionslifecycle.Deps{Pool: pool, Logger: logger}, runID, userID); err != nil {

+		t.Fatalf("ApproveRun: %v", err)

+	}

+	req = httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr = httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("approved heartbeat status: got %d, want 200; body=%s", rr.Code, rr.Body.String())

+	}

+}

+

+func TestRunnerDoesNotInjectSecretsIntoPullRequestRuns(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	runID := enqueueRunnerAPIEventRun(t, pool, logger, repoID, userID, trigger.EventPullRequest, map[string]any{"action": "opened"})

+	box := testRunnerAPISecretBox(t)

+	if err := (actionsecrets.Deps{Pool: pool, Box: box}).Set(ctx, actionsecrets.RepoScope(repoID), "TOKEN", []byte("hunter2"), userID); err != nil {

+		t.Fatalf("Set secret: %v", err)

+	}

+

+	token, _ := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	router := newRunnerAPIRouterWithSecretBox(t, pool, logger, runnerAPISigner(t, time.Now()), box)

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("heartbeat status: got %d, want 200; body=%s", rr.Code, rr.Body.String())

+	}

+	var claim struct {

+		Job struct {

+			RunID      int64             `json:"run_id"`

+			Secrets    map[string]string `json:"secrets"`

+			MaskValues []string          `json:"mask_values"`

+		} `json:"job"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &claim); err != nil {

+		t.Fatalf("decode claim: %v", err)

+	}

+	if claim.Job.RunID != runID {

+		t.Fatalf("claimed wrong run: %+v", claim.Job)

+	}

+	if len(claim.Job.Secrets) != 0 || len(claim.Job.MaskValues) != 0 {

+		t.Fatalf("pull_request run received secrets: %+v", claim.Job)

+	}

+}

+

+	t.Helper()

+	return enqueueRunnerAPIEventRun(t, pool, logger, repoID, userID, trigger.EventPush, map[string]any{"ref": "refs/heads/trunk"})

+}

+

+func enqueueRunnerAPIEventRun(t *testing.T, pool *pgxpool.Pool, logger *slog.Logger, repoID, userID int64, event trigger.EventKind, payload map[string]any) int64 {

+		EventKind:      event,

+		EventPayload:   payload,

+		TriggerEventID: "runner-api-test:" + string(event),

+	actionspolicy "github.com/tenseleyFlow/shithub/internal/actions/policy"

+	decision, err := actionspolicy.EvaluateTrigger(r.Context(), actionspolicy.Deps{Pool: h.d.Pool}, actionspolicy.TriggerRequest{

+		Repo:        row,

+		EventKind:   string(trigger.EventWorkflowDispatch),

+		ActorUserID: actorID,

+	})

+	if err != nil || !decision.Allow {

+		h.d.Logger.WarnContext(r.Context(), "actions dispatch: blocked by actions policy",

+			"repo_id", row.ID, "workflow_file", file, "reason", decision.Reason, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusForbidden, "Actions are not allowed to run for this repository.")

+		return

+	}

+	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"

+// Trust gate: the trigger handler evaluates the PR author through

+// internal/auth/policy. Trusted same-repo collaborators run immediately;

+// untrusted PRs are queued in an approval-required state when policy allows.

+	if !issue.AuthorUserID.Valid {

+		deps.Logger.InfoContext(ctx, "pr: skipping workflow:trigger (missing author)",

+	ownerLogin, err := resolvePRActionsOwnerLogin(ctx, deps.Pool, repo)

+	gitDir, err := deps.RepoFS.RepoPath(ownerLogin, repo.Name)

+	authorLogin := ""

+	if u, err := usersdb.New().GetUserByID(ctx, deps.Pool, issue.AuthorUserID.Int64); err == nil {

+		authorLogin = u.Username

+	}

+

+func resolvePRActionsOwnerLogin(ctx context.Context, pool *pgxpool.Pool, repo reposdb.Repo) (string, error) {

+	if repo.OwnerUserID.Valid {

+		u, err := usersdb.New().GetUserByID(ctx, pool, repo.OwnerUserID.Int64)

+		if err != nil {

+			return "", err

+		}

+		return u.Username, nil

+	}

+	if repo.OwnerOrgID.Valid {

+		o, err := orgsdb.New().GetOrgByID(ctx, pool, repo.OwnerOrgID.Int64)

+		if err != nil {

+			return "", err

+		}

+		return o.Slug, nil

+	}

+	return "", errors.New("repo has neither owner_user_id nor owner_org_id")

+}