`be95514`

actions: harden live runner smoke path

Authored by mfwolffe <wolffemf@dukes.jmu.edu> yesterday

SHA: be9551470a5b3b0d44d0d02d386e5e31689c77f5
Parents: 9bd52be
Tree: e51a7f5

4 changed files

Status	File	+	-
M	`internal/runner/engine/docker.go`	1	1
M	`internal/runner/engine/docker_test.go`	1	1
M	`internal/web/handlers/api/api.go`	0	1
M	`internal/web/handlers/api/runners_test.go`	49	0

internal/runner/engine/docker.gomodified


 		"--ulimit", "nproc=" + defaultNprocLimit,
 		"--user", user,
 		"--workdir=" + workdir,
+		"--mount", "type=bind,src=" + job.WorkspaceDir + ",dst=/workspace",
 	}
 	for _, dns := range d.cfg.DNSServers {
 		dns = strings.TrimSpace(dns)

internal/runner/engine/docker_test.gomodified


 	if !reflect.DeepEqual(rec.args, want) {
 		t.Fatalf("args:\ngot  %#v\nwant %#v", rec.args, want)
 	}
+	if !strings.HasPrefix(rec.args[25], "type=bind,src=") || !strings.HasSuffix(rec.args[25], ",dst=/workspace") || strings.Contains(rec.args[25], ",rw") {
 		t.Fatalf("workspace mount arg: %q", rec.args[25])
 	}
 	if wantEnv := []string{"A=job", "B=step"}; !reflect.DeepEqual(rec.env, wantEnv) {

internal/web/handlers/api/api.gomodified


 	})
 	r.Group(func(r chi.Router) {
 		r.Use(middleware.MaxBodySize(runnerAPIMaxBodyBytes))

 		h.mountRunners(r)
 	})
 	r.Group(func(r chi.Router) {

internal/web/handlers/api/runners_test.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
  	"github.com/tenseleyFlow/shithub/internal/infra/metrics"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
++	"github.com/tenseleyFlow/shithub/internal/ratelimit"
  	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"
  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
  	apih "github.com/tenseleyFlow/shithub/internal/web/handlers/api"
++	"github.com/tenseleyFlow/shithub/internal/web/handlers/api/apilimit"
  	workerdb "github.com/tenseleyFlow/shithub/internal/worker/sqlc"
+ )
+ 	}
+ }
++func TestRunnerHeartbeatBypassesGlobalAnonAPILimit(t *testing.T) {
++	pool := dbtest.NewTestDB(t)
++	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
++	token, _ := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)
++	signer := runnerAPISigner(t, time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC))
++
++	h, err := apih.New(apih.Deps{
++		Pool:        pool,
++		Logger:      logger,
++		BaseURL:     "https://shithub.test",
++		RunnerJWT:   signer,
++		RateLimiter: ratelimit.New(pool),
++		APILimit: apilimit.Config{
++			AuthedPerHour: 1,
++			AnonPerHour:   1,
++			Logger:        logger,
++		},
++	})
++	if err != nil {
++		t.Fatalf("api.New: %v", err)
++	}
++	router := chi.NewRouter()
++	h.Mount(router)
++
++	req := httptest.NewRequest(http.MethodGet, "/api/v1/meta", nil)
++	req.RemoteAddr = "10.0.0.77:12345"
++	rr := httptest.NewRecorder()
++	router.ServeHTTP(rr, req)
++	if rr.Code != http.StatusOK {
++		t.Fatalf("meta status: got %d, want 200; body=%s", rr.Code, rr.Body.String())
++	}
++
++	req = httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",
++		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))
++	req.Header.Set("Authorization", "Bearer "+token)
++	req.RemoteAddr = "10.0.0.77:12346"
++	rr = httptest.NewRecorder()
++	router.ServeHTTP(rr, req)
++
++	if rr.Code != http.StatusNoContent {
++		t.Fatalf("heartbeat status: got %d, want 204; body=%s", rr.Code, rr.Body.String())
++	}
++	if got := rr.Header().Get("X-RateLimit-Limit"); got != "60" {
++		t.Errorf("runner heartbeat limit header: got %q, want 60", got)
++	}
++}
++
  func TestRunnerSecretsAreClaimedAndServerScrubsLogs(t *testing.T) {
  	ctx := context.Background()
  	pool := dbtest.NewTestDB(t)

`@@ -378,7 +378,7 @@` func (d *Docker) dockerInvocation(job Job, step Step) (dockerInvocation, error)
378	"--ulimit", "nproc=" + defaultNprocLimit,	378	"--ulimit", "nproc=" + defaultNprocLimit,
379	"--user", user,	379	"--user", user,
380	"--workdir=" + workdir,	380	"--workdir=" + workdir,
381	- "--mount", "type=bind,src=" + job.WorkspaceDir + ",dst=/workspace,rw",	381	+ "--mount", "type=bind,src=" + job.WorkspaceDir + ",dst=/workspace",
382	}	382	}
383	for _, dns := range d.cfg.DNSServers {	383	for _, dns := range d.cfg.DNSServers {
384	dns = strings.TrimSpace(dns)	384	dns = strings.TrimSpace(dns)

`@@ -153,7 +153,7 @@` func TestDockerExecute_BuildsResourceCappedRunCommand(t *testing.T) {
153	if !reflect.DeepEqual(rec.args, want) {	153	if !reflect.DeepEqual(rec.args, want) {
154	t.Fatalf("args:\ngot %#v\nwant %#v", rec.args, want)	154	t.Fatalf("args:\ngot %#v\nwant %#v", rec.args, want)
155	}	155	}
156	- if !strings.HasPrefix(rec.args[25], "type=bind,src=") \|\| !strings.HasSuffix(rec.args[25], ",dst=/workspace,rw") {	156	+ if !strings.HasPrefix(rec.args[25], "type=bind,src=") \|\| !strings.HasSuffix(rec.args[25], ",dst=/workspace") \|\| strings.Contains(rec.args[25], ",rw") {
157	t.Fatalf("workspace mount arg: %q", rec.args[25])	157	t.Fatalf("workspace mount arg: %q", rec.args[25])
158	}	158	}
159	if wantEnv := []string{"A=job", "B=step"}; !reflect.DeepEqual(rec.env, wantEnv) {	159	if wantEnv := []string{"A=job", "B=step"}; !reflect.DeepEqual(rec.env, wantEnv) {

`@@ -113,7 +113,6 @@` func (h *Handlers) Mount(r chi.Router) {
113	})	113	})
114	r.Group(func(r chi.Router) {	114	r.Group(func(r chi.Router) {
115	r.Use(middleware.MaxBodySize(runnerAPIMaxBodyBytes))	115	r.Use(middleware.MaxBodySize(runnerAPIMaxBodyBytes))
116	- r.Use(apiLimitMW)
117	h.mountRunners(r)	116	h.mountRunners(r)
118	})	117	})
119	r.Group(func(r chi.Router) {	118	r.Group(func(r chi.Router) {