`c44c8a6`

docs: document actions policy gates (S41j-3)

Authored by mfwolffe <wolffemf@dukes.jmu.edu> yesterday

SHA: c44c8a6e120d326bdae56dada4aa208807a7d479
Parents: 34b84f5
Tree: 157743b

3 changed files

Status	File	+	-
M	`docs/internal/actions-runner-api.md`	9	0
M	`docs/internal/actions-schema.md`	10	1
M	`docs/internal/permissions.md`	2	0

docs/internal/actions-runner-api.mdmodified

  `token`, `expires_at`, and `job` when a job is claimed. Capacity is
  enforced server-side by counting current `workflow_jobs.status =
  'running'` rows for the runner while holding a row lock on the runner.
 +Claiming also enforces the effective Actions policy for the repository:
 +disabled repos, approval-pending runs, per-repo concurrent job caps, and
 +per-owner/org concurrent job caps are not dispatchable. Approval simply
 +sets `workflow_runs.approved_by_user_id`; the next heartbeat can claim the
 +same queued jobs, so no duplicate run is created.
  The job payload includes `checkout_url`, `checkout_token`, resolved
  `secrets`, and `mask_values`; repo secrets shadow org secrets with the
  same name. The server also stores an encrypted claim-time copy of the mask
  against the secrets that were actually handed to the runner, even if an
  operator rotates or deletes a secret mid-job.
 +Pull request runs receive no org or repo secrets in v1, even after a
 +maintainer approves dispatch. This is intentionally stricter than the
 +approval gate until environments/protected deployment secrets exist.
++
  `POST /api/v1/jobs/{id}/logs`
  Auth: job JWT. Body:

docs/internal/actions-schema.mdmodified

  ## SQL schema
 -Actions migrations currently span 0042–0051, 0053, 0057, and 0060.
 +Actions migrations currently span 0042–0051, 0053, 0057, 0060, and 0064–0066.
  Migration 0052 belongs to the repo source-remotes feature, 0054
  belongs to push event protocol tracking, 0055 belongs to the social
  feed, 0056 belongs to user profile contribution settings, 0058 belongs
  | 0053  | `runner_jwt_used`           | Single-use replay gate for runner job JWTs                    |
  | 0057  | `workflow_job_secret_masks` | Encrypted claim-time log mask snapshots per job               |
  | 0060  | Actions retention indexes   | Narrow cleanup indexes for terminal steps/runs                |
 +| 0066  | `actions_*_policies`, `workflow_run_approvals` | Enablement, runner-pool caps, and approval decisions |
  A few load-bearing choices, called out so they're easy to spot in a
  later schema diff:
    claim time, preventing a rotated or deleted secret from disappearing
    from server-side masking while the old value is still in a runner's
    job payload.
 +- **`actions_site_policy`, `actions_org_policies`,
 +  `actions_repo_policies`** — inherited Actions enablement and abuse
 +  caps. Runner claim and trigger enqueue both read the effective policy:
 +  repo override, then org override, then site default.
 +- **`workflow_run_approvals`** — one approval-decision row for every run
 +  whose `workflow_runs.need_approval` flag is set. Approval records the
 +  maintainer and lets runner heartbeats claim the existing queued jobs;
 +  rejection completes the run with `action_required`.
  The `version` and `run_index` patterns are the two pieces I'd point
  out to a future maintainer first. Both are cheap to add now and

docs/internal/permissions.mdmodified

  | `repo:delete`                         | `admin`          |
  | `repo:transfer`                       | `admin`          |
  | `repo:visibility`                     | `admin`          |
 +| `actions:run`                         | `write`          |
 +| `actions:approve`                     | `maintain`       |
  | `issue:read`                          | `read` (private) |
  | `issue:create`                        | logged in on public; `read` on private |
  | `issue:comment`                       | logged in on public; `read` on private |