`be95514`

actions: harden live runner smoke path

Authored by mfwolffe <wolffemf@dukes.jmu.edu> yesterday

SHA: be9551470a5b3b0d44d0d02d386e5e31689c77f5
Parents: 9bd52be
Tree: e51a7f5

4 changed files

Status	File	+	-
M	`internal/runner/engine/docker.go`	1	1
M	`internal/runner/engine/docker_test.go`	1	1
M	`internal/web/handlers/api/api.go`	0	1
M	`internal/web/handlers/api/runners_test.go`	49	0

internal/runner/engine/docker.gomodified

  		"--ulimit", "nproc=" + defaultNprocLimit,
  		"--user", user,
  		"--workdir=" + workdir,
 -		"--mount", "type=bind,src=" + job.WorkspaceDir + ",dst=/workspace,rw",
 +		"--mount", "type=bind,src=" + job.WorkspaceDir + ",dst=/workspace",
+ 	}
  	for _, dns := range d.cfg.DNSServers {
  		dns = strings.TrimSpace(dns)

internal/runner/engine/docker_test.gomodified


 	if !reflect.DeepEqual(rec.args, want) {
 		t.Fatalf("args:\ngot  %#v\nwant %#v", rec.args, want)
 	}
-	if !strings.HasPrefix(rec.args[25], "type=bind,src=") || !strings.HasSuffix(rec.args[25], ",dst=/workspace,rw") {
+	if !strings.HasPrefix(rec.args[25], "type=bind,src=") || !strings.HasSuffix(rec.args[25], ",dst=/workspace") || strings.Contains(rec.args[25], ",rw") {
 		t.Fatalf("workspace mount arg: %q", rec.args[25])
 	}
 	if wantEnv := []string{"A=job", "B=step"}; !reflect.DeepEqual(rec.env, wantEnv) {

internal/web/handlers/api/api.gomodified

  	})
  	r.Group(func(r chi.Router) {
  		r.Use(middleware.MaxBodySize(runnerAPIMaxBodyBytes))
 -		r.Use(apiLimitMW)
  		h.mountRunners(r)
  	})
  	r.Group(func(r chi.Router) {

internal/web/handlers/api/runners_test.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
  	"github.com/tenseleyFlow/shithub/internal/infra/metrics"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
 +	"github.com/tenseleyFlow/shithub/internal/ratelimit"
  	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"
  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
  	apih "github.com/tenseleyFlow/shithub/internal/web/handlers/api"
 +	"github.com/tenseleyFlow/shithub/internal/web/handlers/api/apilimit"
  	workerdb "github.com/tenseleyFlow/shithub/internal/worker/sqlc"
+ )
+ 	}
+ }
 +func TestRunnerHeartbeatBypassesGlobalAnonAPILimit(t *testing.T) {
 +	pool := dbtest.NewTestDB(t)
 +	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
 +	token, _ := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)
 +	signer := runnerAPISigner(t, time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC))
++
 +	h, err := apih.New(apih.Deps{
 +		Pool:        pool,
 +		Logger:      logger,
 +		BaseURL:     "https://shithub.test",
 +		RunnerJWT:   signer,
 +		RateLimiter: ratelimit.New(pool),
 +		APILimit: apilimit.Config{
 +			AuthedPerHour: 1,
 +			AnonPerHour:   1,
 +			Logger:        logger,
 +		},
 +	})
 +	if err != nil {
 +		t.Fatalf("api.New: %v", err)
 +	}
 +	router := chi.NewRouter()
 +	h.Mount(router)
++
 +	req := httptest.NewRequest(http.MethodGet, "/api/v1/meta", nil)
 +	req.RemoteAddr = "10.0.0.77:12345"
 +	rr := httptest.NewRecorder()
 +	router.ServeHTTP(rr, req)
 +	if rr.Code != http.StatusOK {
 +		t.Fatalf("meta status: got %d, want 200; body=%s", rr.Code, rr.Body.String())
 +	}
++
 +	req = httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",
 +		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))
 +	req.Header.Set("Authorization", "Bearer "+token)
 +	req.RemoteAddr = "10.0.0.77:12346"
 +	rr = httptest.NewRecorder()
 +	router.ServeHTTP(rr, req)
++
 +	if rr.Code != http.StatusNoContent {
 +		t.Fatalf("heartbeat status: got %d, want 204; body=%s", rr.Code, rr.Body.String())
 +	}
 +	if got := rr.Header().Get("X-RateLimit-Limit"); got != "60" {
 +		t.Errorf("runner heartbeat limit header: got %q, want 60", got)
 +	}
 +}
++
  func TestRunnerSecretsAreClaimedAndServerScrubsLogs(t *testing.T) {
  	ctx := context.Background()
  	pool := dbtest.NewTestDB(t)

`@@ -153,7 +153,7 @@` func TestDockerExecute_BuildsResourceCappedRunCommand(t *testing.T) {
153	153	if !reflect.DeepEqual(rec.args, want) {
154	154	t.Fatalf("args:\ngot %#v\nwant %#v", rec.args, want)
155	155	}
156		- if !strings.HasPrefix(rec.args[25], "type=bind,src=") \|\| !strings.HasSuffix(rec.args[25], ",dst=/workspace,rw") {
	156	+ if !strings.HasPrefix(rec.args[25], "type=bind,src=") \|\| !strings.HasSuffix(rec.args[25], ",dst=/workspace") \|\| strings.Contains(rec.args[25], ",rw") {
157	157	t.Fatalf("workspace mount arg: %q", rec.args[25])
158	158	}
159	159	if wantEnv := []string{"A=job", "B=step"}; !reflect.DeepEqual(rec.env, wantEnv) {