tenseleyflow/shithub / e85a1c4

+	"github.com/tenseleyFlow/shithub/internal/actions/runnerlabels"

+	return runnerlabels.ParseCSV(raw)

+-- name: CountRunningJobsForRunner :one

+SELECT COUNT(*)::integer

+FROM workflow_jobs

+WHERE runner_id = sqlc.arg(runner_id)::bigint AND status = 'running';

+

+-- name: ClaimQueuedWorkflowJob :one

+WITH candidate AS (

+    SELECT j.id

+    FROM workflow_jobs j

+    WHERE j.status = 'queued'

+      AND j.runner_id IS NULL

+      AND (j.runs_on = '' OR j.runs_on = ANY(sqlc.arg(labels)::text[]))

+      AND NOT EXISTS (

+          SELECT 1

+          FROM workflow_jobs dep

+          WHERE dep.run_id = j.run_id

+            AND dep.job_key = ANY(j.needs_jobs)

+            AND (dep.status <> 'completed' OR dep.conclusion <> 'success')

+      )

+    ORDER BY j.created_at ASC, j.id ASC

+    FOR UPDATE OF j SKIP LOCKED

+    LIMIT 1

+),

+claimed AS (

+    UPDATE workflow_jobs j

+    SET runner_id = sqlc.arg(runner_id)::bigint,

+        status = 'running',

+        started_at = COALESCE(j.started_at, now()),

+        version = j.version + 1,

+        updated_at = now()

+    FROM candidate c

+    WHERE j.id = c.id

+    RETURNING j.id, j.run_id, j.job_index, j.job_key, j.job_name, j.runs_on,

+              j.runner_id, j.needs_jobs, j.if_expr, j.timeout_minutes,

+              j.permissions, j.job_env, j.status, j.conclusion,

+              j.cancel_requested, j.started_at, j.completed_at, j.version,

+              j.created_at, j.updated_at

+)

+SELECT c.id, c.run_id, c.job_index, c.job_key, c.job_name, c.runs_on,

+       c.runner_id, c.needs_jobs, c.if_expr, c.timeout_minutes,

+       c.permissions, c.job_env, c.status, c.conclusion,

+       c.cancel_requested, c.started_at, c.completed_at, c.version,

+       c.created_at, c.updated_at,

+       r.repo_id, r.run_index, r.workflow_file, r.workflow_name,

+       r.head_sha, r.head_ref, r.event

+FROM claimed c

+JOIN workflow_runs r ON r.id = c.run_id;

+

+-- name: LockRunnerByID :one

+SELECT id, name, labels, capacity, status, last_heartbeat_at,

+       registered_by_user_id, created_at, updated_at

+FROM workflow_runners

+WHERE id = $1

+FOR UPDATE;

+

+-- name: HeartbeatRunner :one

+UPDATE workflow_runners

+SET labels = $2,

+    capacity = $3,

+    last_heartbeat_at = now(),

+    status = $4,

+    updated_at = now()

+WHERE id = $1

+RETURNING id, name, labels, capacity, status, last_heartbeat_at,

+          registered_by_user_id, created_at, updated_at;

+

+-- name: MarkWorkflowRunRunning :exec

+UPDATE workflow_runs

+SET status = 'running',

+    started_at = COALESCE(started_at, now()),

+    version = version + 1,

+    updated_at = now()

+WHERE id = $1 AND status = 'queued';

+

+-- name: ListRunnerStepsForJob :many

+SELECT id, job_id, step_index, step_id, step_name, if_expr,

+       run_command, uses_alias, working_directory, step_env,

+       continue_on_error, status, conclusion, log_byte_count,

+       started_at, completed_at, created_at, step_with

+FROM workflow_steps

+WHERE job_id = $1

+ORDER BY step_index ASC;

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package runnerlabels normalizes Actions runner labels for registration and

+// heartbeat matching.

+package runnerlabels

+

+import (

+	"errors"

+	"fmt"

+	"regexp"

+	"strings"

+)

+

+var labelRE = regexp.MustCompile(`^[A-Za-z0-9_.-]+$`)

+

+// ParseCSV parses a comma-separated label list.

+func ParseCSV(raw string) ([]string, error) {

+	raw = strings.TrimSpace(raw)

+	if raw == "" {

+		return []string{}, nil

+	}

+	return Normalize(strings.Split(raw, ","))

+}

+

+// Normalize trims, validates, and de-duplicates labels while preserving order.

+func Normalize(labels []string) ([]string, error) {

+	if len(labels) == 0 {

+		return []string{}, nil

+	}

+	seen := make(map[string]struct{}, len(labels))

+	out := make([]string, 0, len(labels))

+	for _, label := range labels {

+		label = strings.TrimSpace(label)

+		if label == "" {

+			return nil, errors.New("runner labels must not contain empty entries")

+		}

+		if len(label) > 100 || !labelRE.MatchString(label) {

+			return nil, fmt.Errorf("invalid runner label %q", label)

+		}

+		if _, ok := seen[label]; ok {

+			continue

+		}

+		seen[label] = struct{}{}

+		out = append(out, label)

+	}

+	return out, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package runnerlabels_test

+

+import (

+	"reflect"

+	"testing"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/runnerlabels"

+)

+

+func TestParseCSV(t *testing.T) {

+	got, err := runnerlabels.ParseCSV(" self-hosted, linux,linux,ubuntu-24.04 ")

+	if err != nil {

+		t.Fatalf("ParseCSV: %v", err)

+	}

+	want := []string{"self-hosted", "linux", "ubuntu-24.04"}

+	if !reflect.DeepEqual(got, want) {

+		t.Fatalf("labels: got %#v, want %#v", got, want)

+	}

+}

+

+func TestNormalizeRejectsInvalidLabels(t *testing.T) {

+	for _, labels := range [][]string{

+		{"linux", ""},

+		{"has space"},

+		{"semi;colon"},

+	} {

+		if _, err := runnerlabels.Normalize(labels); err == nil {

+			t.Fatalf("Normalize(%#v) returned nil error", labels)

+		}

+	}

+}

+	ClaimQueuedWorkflowJob(ctx context.Context, db DBTX, arg ClaimQueuedWorkflowJobParams) (ClaimQueuedWorkflowJobRow, error)

+	CountRunningJobsForRunner(ctx context.Context, db DBTX, runnerID int64) (int32, error)

+	HeartbeatRunner(ctx context.Context, db DBTX, arg HeartbeatRunnerParams) (WorkflowRunner, error)

+	ListRunnerStepsForJob(ctx context.Context, db DBTX, jobID int64) ([]ListRunnerStepsForJobRow, error)

+	LockRunnerByID(ctx context.Context, db DBTX, id int64) (WorkflowRunner, error)

+	MarkWorkflowRunRunning(ctx context.Context, db DBTX, id int64) error

+const claimQueuedWorkflowJob = `-- name: ClaimQueuedWorkflowJob :one

+WITH candidate AS (

+    SELECT j.id

+    FROM workflow_jobs j

+    WHERE j.status = 'queued'

+      AND j.runner_id IS NULL

+      AND (j.runs_on = '' OR j.runs_on = ANY($1::text[]))

+      AND NOT EXISTS (

+          SELECT 1

+          FROM workflow_jobs dep

+          WHERE dep.run_id = j.run_id

+            AND dep.job_key = ANY(j.needs_jobs)

+            AND (dep.status <> 'completed' OR dep.conclusion <> 'success')

+      )

+    ORDER BY j.created_at ASC, j.id ASC

+    FOR UPDATE OF j SKIP LOCKED

+    LIMIT 1

+),

+claimed AS (

+    UPDATE workflow_jobs j

+    SET runner_id = $2::bigint,

+        status = 'running',

+        started_at = COALESCE(j.started_at, now()),

+        version = j.version + 1,

+        updated_at = now()

+    FROM candidate c

+    WHERE j.id = c.id

+    RETURNING j.id, j.run_id, j.job_index, j.job_key, j.job_name, j.runs_on,

+              j.runner_id, j.needs_jobs, j.if_expr, j.timeout_minutes,

+              j.permissions, j.job_env, j.status, j.conclusion,

+              j.cancel_requested, j.started_at, j.completed_at, j.version,

+              j.created_at, j.updated_at

+)

+SELECT c.id, c.run_id, c.job_index, c.job_key, c.job_name, c.runs_on,

+       c.runner_id, c.needs_jobs, c.if_expr, c.timeout_minutes,

+       c.permissions, c.job_env, c.status, c.conclusion,

+       c.cancel_requested, c.started_at, c.completed_at, c.version,

+       c.created_at, c.updated_at,

+       r.repo_id, r.run_index, r.workflow_file, r.workflow_name,

+       r.head_sha, r.head_ref, r.event

+FROM claimed c

+JOIN workflow_runs r ON r.id = c.run_id

+`

+

+type ClaimQueuedWorkflowJobParams struct {

+	Labels   []string

+	RunnerID int64

+}

+

+type ClaimQueuedWorkflowJobRow struct {

+	ID              int64

+	RunID           int64

+	JobIndex        int32

+	JobKey          string

+	JobName         string

+	RunsOn          string

+	RunnerID        pgtype.Int8

+	NeedsJobs       []string

+	IfExpr          string

+	TimeoutMinutes  int32

+	Permissions     []byte

+	JobEnv          []byte

+	Status          WorkflowJobStatus

+	Conclusion      NullCheckConclusion

+	CancelRequested bool

+	StartedAt       pgtype.Timestamptz

+	CompletedAt     pgtype.Timestamptz

+	Version         int32

+	CreatedAt       pgtype.Timestamptz

+	UpdatedAt       pgtype.Timestamptz

+	RepoID          int64

+	RunIndex        int64

+	WorkflowFile    string

+	WorkflowName    string

+	HeadSha         string

+	HeadRef         string

+	Event           WorkflowRunEvent

+}

+

+func (q *Queries) ClaimQueuedWorkflowJob(ctx context.Context, db DBTX, arg ClaimQueuedWorkflowJobParams) (ClaimQueuedWorkflowJobRow, error) {

+	row := db.QueryRow(ctx, claimQueuedWorkflowJob, arg.Labels, arg.RunnerID)

+	var i ClaimQueuedWorkflowJobRow

+	err := row.Scan(

+		&i.ID,

+		&i.RunID,

+		&i.JobIndex,

+		&i.JobKey,

+		&i.JobName,

+		&i.RunsOn,

+		&i.RunnerID,

+		&i.NeedsJobs,

+		&i.IfExpr,

+		&i.TimeoutMinutes,

+		&i.Permissions,

+		&i.JobEnv,

+		&i.Status,

+		&i.Conclusion,

+		&i.CancelRequested,

+		&i.StartedAt,

+		&i.CompletedAt,

+		&i.Version,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+		&i.RepoID,

+		&i.RunIndex,

+		&i.WorkflowFile,

+		&i.WorkflowName,

+		&i.HeadSha,

+		&i.HeadRef,

+		&i.Event,

+	)

+	return i, err

+}

+

+const countRunningJobsForRunner = `-- name: CountRunningJobsForRunner :one

+SELECT COUNT(*)::integer

+FROM workflow_jobs

+WHERE runner_id = $1::bigint AND status = 'running'

+`

+

+func (q *Queries) CountRunningJobsForRunner(ctx context.Context, db DBTX, runnerID int64) (int32, error) {

+	row := db.QueryRow(ctx, countRunningJobsForRunner, runnerID)

+	var column_1 int32

+	err := row.Scan(&column_1)

+	return column_1, err

+}

+

+const heartbeatRunner = `-- name: HeartbeatRunner :one

+UPDATE workflow_runners

+SET labels = $2,

+    capacity = $3,

+    last_heartbeat_at = now(),

+    status = $4,

+    updated_at = now()

+WHERE id = $1

+RETURNING id, name, labels, capacity, status, last_heartbeat_at,

+          registered_by_user_id, created_at, updated_at

+`

+

+type HeartbeatRunnerParams struct {

+	ID       int64

+	Labels   []string

+	Capacity int32

+	Status   WorkflowRunnerStatus

+}

+

+func (q *Queries) HeartbeatRunner(ctx context.Context, db DBTX, arg HeartbeatRunnerParams) (WorkflowRunner, error) {

+	row := db.QueryRow(ctx, heartbeatRunner,

+		arg.ID,

+		arg.Labels,

+		arg.Capacity,

+		arg.Status,

+	)

+	var i WorkflowRunner

+	err := row.Scan(

+		&i.ID,

+		&i.Name,

+		&i.Labels,

+		&i.Capacity,

+		&i.Status,

+		&i.LastHeartbeatAt,

+		&i.RegisteredByUserID,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+	)

+	return i, err

+}

+

+const lockRunnerByID = `-- name: LockRunnerByID :one

+SELECT id, name, labels, capacity, status, last_heartbeat_at,

+       registered_by_user_id, created_at, updated_at

+FROM workflow_runners

+WHERE id = $1

+FOR UPDATE

+`

+

+func (q *Queries) LockRunnerByID(ctx context.Context, db DBTX, id int64) (WorkflowRunner, error) {

+	row := db.QueryRow(ctx, lockRunnerByID, id)

+	var i WorkflowRunner

+	err := row.Scan(

+		&i.ID,

+		&i.Name,

+		&i.Labels,

+		&i.Capacity,

+		&i.Status,

+		&i.LastHeartbeatAt,

+		&i.RegisteredByUserID,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+	)

+	return i, err

+}

+

+const markWorkflowRunRunning = `-- name: MarkWorkflowRunRunning :exec

+UPDATE workflow_runs

+SET status = 'running',

+    started_at = COALESCE(started_at, now()),

+    version = version + 1,

+    updated_at = now()

+WHERE id = $1 AND status = 'queued'

+`

+

+func (q *Queries) MarkWorkflowRunRunning(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, markWorkflowRunRunning, id)

+	return err

+}

+

+const listRunnerStepsForJob = `-- name: ListRunnerStepsForJob :many

+SELECT id, job_id, step_index, step_id, step_name, if_expr,

+       run_command, uses_alias, working_directory, step_env,

+       continue_on_error, status, conclusion, log_byte_count,

+       started_at, completed_at, created_at, step_with

+FROM workflow_steps

+WHERE job_id = $1

+ORDER BY step_index ASC

+`

+

+type ListRunnerStepsForJobRow struct {

+	ID               int64

+	JobID            int64

+	StepIndex        int32

+	StepID           string

+	StepName         string

+	IfExpr           string

+	RunCommand       string

+	UsesAlias        string

+	WorkingDirectory string

+	StepEnv          []byte

+	ContinueOnError  bool

+	Status           WorkflowStepStatus

+	Conclusion       NullCheckConclusion

+	LogByteCount     int64

+	StartedAt        pgtype.Timestamptz

+	CompletedAt      pgtype.Timestamptz

+	CreatedAt        pgtype.Timestamptz

+	StepWith         []byte

+}

+

+func (q *Queries) ListRunnerStepsForJob(ctx context.Context, db DBTX, jobID int64) ([]ListRunnerStepsForJobRow, error) {

+	rows, err := db.Query(ctx, listRunnerStepsForJob, jobID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []ListRunnerStepsForJobRow{}

+	for rows.Next() {

+		var i ListRunnerStepsForJobRow

+		if err := rows.Scan(

+			&i.ID,

+			&i.JobID,

+			&i.StepIndex,

+			&i.StepID,

+			&i.StepName,

+			&i.IfExpr,

+			&i.RunCommand,

+			&i.UsesAlias,

+			&i.WorkingDirectory,

+			&i.StepEnv,

+			&i.ContinueOnError,

+			&i.Status,

+			&i.Conclusion,

+			&i.LogByteCount,

+			&i.StartedAt,

+			&i.CompletedAt,

+			&i.CreatedAt,

+			&i.StepWith,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"

+func buildAPIHandlers(

+	pool *pgxpool.Pool,

+	objectStore storage.ObjectStore,

+	runnerJWT *runnerjwt.Signer,

+	rateLimiter *ratelimit.Limiter,

+	logger *slog.Logger,

+) (*apih.Handlers, error) {

+		Pool:        pool,

+		Debouncer:   sharedPATDebouncer,

+		Logger:      logger,

+		ObjectStore: objectStore,

+		RunnerJWT:   runnerJWT,

+		RateLimiter: rateLimiter,

+	"log/slog"

+	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	"github.com/tenseleyFlow/shithub/internal/ratelimit"

+	Pool        *pgxpool.Pool

+	Debouncer   *pat.Debouncer

+	Logger      *slog.Logger

+	ObjectStore storage.ObjectStore

+	RunnerJWT   *runnerjwt.Signer

+	RateLimiter *ratelimit.Limiter

+	if d.Logger == nil {

+		d.Logger = slog.Default()

+	}

+// runnerAPIMaxBodyBytes must fit a 512 KiB raw log chunk after base64

+// expansion plus JSON framing.

+const runnerAPIMaxBodyBytes = 768 * 1024

+

+	r.Group(func(r chi.Router) {

+		r.Use(middleware.MaxBodySize(runnerAPIMaxBodyBytes))

+		h.mountRunners(r)

+	})

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package api

+

+import (

+	"context"

+	"encoding/json"

+	"errors"

+	"fmt"

+	"io"

+	"net/http"

+	"strings"

+	"time"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/runnerlabels"

+	"github.com/tenseleyFlow/shithub/internal/actions/runnertoken"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"

+	"github.com/tenseleyFlow/shithub/internal/ratelimit"

+)

+

+var runnerHeartbeatLimit = ratelimit.Policy{

+	Scope:  "actions:runner_dispatch",

+	Max:    60,

+	Window: time.Minute,

+}

+

+func (h *Handlers) mountRunners(r chi.Router) {

+	r.Post("/api/v1/runners/heartbeat", h.runnerHeartbeat)

+}

+

+type runnerHeartbeatRequest struct {

+	Labels   []string `json:"labels"`

+	Capacity int      `json:"capacity"`

+}

+

+func (h *Handlers) runnerHeartbeat(w http.ResponseWriter, r *http.Request) {

+	if h.d.RunnerJWT == nil {

+		writeAPIError(w, http.StatusServiceUnavailable, "runner API is not configured")

+		return

+	}

+	runner, ok := h.authenticateRunner(w, r)

+	if !ok {

+		return

+	}

+	if !h.allowRunnerHeartbeat(w, r, runner.ID) {

+		return

+	}

+

+	var body runnerHeartbeatRequest

+	dec := json.NewDecoder(r.Body)

+	dec.DisallowUnknownFields()

+	if err := dec.Decode(&body); err != nil && !errors.Is(err, io.EOF) {

+		writeAPIError(w, http.StatusBadRequest, "invalid JSON: "+err.Error())

+		return

+	}

+	labels := runner.Labels

+	if body.Labels != nil {

+		var err error

+		labels, err = runnerlabels.Normalize(body.Labels)

+		if err != nil {

+			writeAPIError(w, http.StatusBadRequest, err.Error())

+			return

+		}

+	}

+	capacity := int(runner.Capacity)

+	if body.Capacity != 0 {

+		capacity = body.Capacity

+	}

+	if capacity < 1 || capacity > 64 {

+		writeAPIError(w, http.StatusBadRequest, "capacity must be between 1 and 64")

+		return

+	}

+

+	job, steps, claimed, err := h.claimRunnerJob(r.Context(), runner.ID, labels, int32(capacity))

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "runner heartbeat claim failed", "runner_id", runner.ID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "runner heartbeat failed")

+		return

+	}

+	if !claimed {

+		w.WriteHeader(http.StatusNoContent)

+		return

+	}

+

+	token, claims, err := h.d.RunnerJWT.Mint(runnerjwt.MintParams{

+		RunnerID: runner.ID,

+		JobID:    job.ID,

+		RunID:    job.RunID,

+		RepoID:   job.RepoID,

+	})

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "runner jwt mint failed", "runner_id", runner.ID, "job_id", job.ID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "runner token mint failed")

+		return

+	}

+	writeJSON(w, http.StatusOK, presentRunnerClaim(job, steps, token, time.Unix(claims.Exp, 0)))

+}

+

+func (h *Handlers) authenticateRunner(w http.ResponseWriter, r *http.Request) (actionsdb.GetRunnerByTokenHashRow, bool) {

+	const prefix = "Bearer "

+	authz := r.Header.Get("Authorization")

+	if !strings.HasPrefix(authz, prefix) {

+		writeAPIError(w, http.StatusUnauthorized, "runner token required")

+		return actionsdb.GetRunnerByTokenHashRow{}, false

+	}

+	hash, err := runnertoken.HashOf(strings.TrimSpace(strings.TrimPrefix(authz, prefix)))

+	if err != nil {

+		writeAPIError(w, http.StatusUnauthorized, "runner token invalid")

+		return actionsdb.GetRunnerByTokenHashRow{}, false

+	}

+	runner, err := actionsdb.New().GetRunnerByTokenHash(r.Context(), h.d.Pool, hash)

+	if err != nil {

+		writeAPIError(w, http.StatusUnauthorized, "runner token invalid")

+		return actionsdb.GetRunnerByTokenHashRow{}, false

+	}

+	return runner, true

+}

+

+func (h *Handlers) allowRunnerHeartbeat(w http.ResponseWriter, r *http.Request, runnerID int64) bool {

+	if h.d.RateLimiter == nil {

+		return true

+	}

+	decision, err := h.d.RateLimiter.Allow(r.Context(), runnerHeartbeatLimit, fmt.Sprintf("runner:%d", runnerID))

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "runner heartbeat rate-limit failed", "runner_id", runnerID, "error", err)

+	}

+	ratelimit.StampHeaders(w, decision)

+	if !decision.Allowed {

+		w.Header().Set("Retry-After", fmt.Sprintf("%d", int(decision.RetryAfter/time.Second)))

+		writeAPIError(w, http.StatusTooManyRequests, "rate limit exceeded")

+		return false

+	}

+	return true

+}

+

+func (h *Handlers) claimRunnerJob(

+	ctx context.Context,

+	runnerID int64,

+	labels []string,

+	capacity int32,

+) (actionsdb.ClaimQueuedWorkflowJobRow, []actionsdb.ListRunnerStepsForJobRow, bool, error) {

+	q := actionsdb.New()

+	tx, err := h.d.Pool.Begin(ctx)

+	if err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	if _, err := q.LockRunnerByID(ctx, tx, runnerID); err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	running, err := q.CountRunningJobsForRunner(ctx, tx, runnerID)

+	if err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	if running >= capacity {

+		if _, err := q.HeartbeatRunner(ctx, tx, actionsdb.HeartbeatRunnerParams{

+			ID:       runnerID,

+			Labels:   labels,

+			Capacity: capacity,

+			Status:   actionsdb.WorkflowRunnerStatusBusy,

+		}); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+		}

+		if err := tx.Commit(ctx); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+		}

+		committed = true

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, nil

+	}

+

+	job, err := q.ClaimQueuedWorkflowJob(ctx, tx, actionsdb.ClaimQueuedWorkflowJobParams{

+		RunnerID: runnerID,

+		Labels:   labels,

+	})

+	if err != nil {

+		if !errors.Is(err, pgx.ErrNoRows) {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+		}

+		if _, err := q.HeartbeatRunner(ctx, tx, actionsdb.HeartbeatRunnerParams{

+			ID:       runnerID,

+			Labels:   labels,

+			Capacity: capacity,

+			Status:   actionsdb.WorkflowRunnerStatusIdle,

+		}); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+		}

+		if err := tx.Commit(ctx); err != nil {

+			return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+		}

+		committed = true

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, nil

+	}

+	if err := q.MarkWorkflowRunRunning(ctx, tx, job.RunID); err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	steps, err := q.ListRunnerStepsForJob(ctx, tx, job.ID)

+	if err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	status := actionsdb.WorkflowRunnerStatusIdle

+	if running+1 >= capacity {

+		status = actionsdb.WorkflowRunnerStatusBusy

+	}

+	if _, err := q.HeartbeatRunner(ctx, tx, actionsdb.HeartbeatRunnerParams{

+		ID:       runnerID,

+		Labels:   labels,

+		Capacity: capacity,

+		Status:   status,

+	}); err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	if err := tx.Commit(ctx); err != nil {

+		return actionsdb.ClaimQueuedWorkflowJobRow{}, nil, false, err

+	}

+	committed = true

+	return job, steps, true, nil

+}

+

+type runnerClaimResponse struct {

+	Token     string           `json:"token"`

+	ExpiresAt string           `json:"expires_at"`

+	Job       runnerJobPayload `json:"job"`

+}

+

+type runnerJobPayload struct {

+	ID             int64           `json:"id"`

+	RunID          int64           `json:"run_id"`

+	RepoID         int64           `json:"repo_id"`

+	RunIndex       int64           `json:"run_index"`

+	WorkflowFile   string          `json:"workflow_file"`

+	WorkflowName   string          `json:"workflow_name"`

+	HeadSHA        string          `json:"head_sha"`

+	HeadRef        string          `json:"head_ref"`

+	Event          string          `json:"event"`

+	JobKey         string          `json:"job_key"`

+	JobName        string          `json:"job_name"`

+	RunsOn         string          `json:"runs_on"`

+	Needs          []string        `json:"needs"`

+	If             string          `json:"if"`

+	TimeoutMinutes int32           `json:"timeout_minutes"`

+	Permissions    json.RawMessage `json:"permissions"`

+	Env            json.RawMessage `json:"env"`

+	Steps          []runnerStep    `json:"steps"`

+}

+

+type runnerStep struct {

+	ID               int64           `json:"id"`

+	Index            int32           `json:"index"`

+	StepID           string          `json:"step_id"`

+	Name             string          `json:"name"`

+	If               string          `json:"if"`

+	Run              string          `json:"run"`

+	Uses             string          `json:"uses"`

+	WorkingDirectory string          `json:"working_directory"`

+	Env              json.RawMessage `json:"env"`

+	With             json.RawMessage `json:"with"`

+	ContinueOnError  bool            `json:"continue_on_error"`

+}

+

+func presentRunnerClaim(

+	job actionsdb.ClaimQueuedWorkflowJobRow,

+	steps []actionsdb.ListRunnerStepsForJobRow,

+	token string,

+	expiresAt time.Time,

+) runnerClaimResponse {

+	outSteps := make([]runnerStep, 0, len(steps))

+	for _, step := range steps {

+		outSteps = append(outSteps, runnerStep{

+			ID:               step.ID,

+			Index:            step.StepIndex,

+			StepID:           step.StepID,

+			Name:             step.StepName,

+			If:               step.IfExpr,

+			Run:              step.RunCommand,

+			Uses:             step.UsesAlias,

+			WorkingDirectory: step.WorkingDirectory,

+			Env:              rawJSONOrObject(step.StepEnv),

+			With:             rawJSONOrObject(step.StepWith),

+			ContinueOnError:  step.ContinueOnError,

+		})

+	}

+	return runnerClaimResponse{

+		Token:     token,

+		ExpiresAt: expiresAt.UTC().Format(time.RFC3339),

+		Job: runnerJobPayload{

+			ID:             job.ID,

+			RunID:          job.RunID,

+			RepoID:         job.RepoID,

+			RunIndex:       job.RunIndex,

+			WorkflowFile:   job.WorkflowFile,

+			WorkflowName:   job.WorkflowName,

+			HeadSHA:        job.HeadSha,

+			HeadRef:        job.HeadRef,

+			Event:          string(job.Event),

+			JobKey:         job.JobKey,

+			JobName:        job.JobName,

+			RunsOn:         job.RunsOn,

+			Needs:          job.NeedsJobs,

+			If:             job.IfExpr,

+			TimeoutMinutes: job.TimeoutMinutes,

+			Permissions:    rawJSONOrObject(job.Permissions),

+			Env:            rawJSONOrObject(job.JobEnv),

+			Steps:          outSteps,

+		},

+	}

+}

+

+func rawJSONOrObject(b []byte) json.RawMessage {

+	if len(b) == 0 || !json.Valid(b) {

+		return json.RawMessage(`{}`)

+	}

+	return json.RawMessage(b)

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package api_test

+

+import (

+	"bytes"

+	"context"

+	"encoding/json"

+	"io"

+	"log/slog"

+	"net/http"

+	"net/http/httptest"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/runnertoken"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/actions/trigger"

+	"github.com/tenseleyFlow/shithub/internal/actions/workflow"

+	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	apih "github.com/tenseleyFlow/shithub/internal/web/handlers/api"

+)

+

+const runnerAPIFixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+func TestRunnerHeartbeatClaimsQueuedJob(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	runID := enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+

+	token, runnerID := registerRunnerForTest(t, pool, []string{"ubuntu-latest", "linux"}, 1)

+	signer := runnerAPISigner(t, time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC))

+	router := newRunnerAPIRouter(t, pool, logger, signer)

+

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+

+	if rr.Code != http.StatusOK {

+		t.Fatalf("status: got %d, want 200; body=%s", rr.Code, rr.Body.String())

+	}

+	var resp struct {

+		Token string `json:"token"`

+		Job   struct {

+			ID     int64 `json:"id"`

+			RunID  int64 `json:"run_id"`

+			RepoID int64 `json:"repo_id"`

+			Steps  []struct {

+				Run  string `json:"run"`

+				Uses string `json:"uses"`

+			} `json:"steps"`

+		} `json:"job"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &resp); err != nil {

+		t.Fatalf("decode response: %v", err)

+	}

+	if resp.Token == "" {

+		t.Fatal("response token is empty")

+	}

+	if resp.Job.RunID != runID || resp.Job.RepoID != repoID || len(resp.Job.Steps) != 2 {

+		t.Fatalf("unexpected job payload: %+v", resp.Job)

+	}

+	claims, err := signer.Verify(resp.Token)

+	if err != nil {

+		t.Fatalf("verify runner JWT: %v", err)

+	}

+	if claims.JobID != resp.Job.ID || claims.RunID != runID || claims.RepoID != repoID {

+		t.Fatalf("claims/job mismatch: claims=%+v job=%+v", claims, resp.Job)

+	}

+	claimRunnerID, err := claims.RunnerID()

+	if err != nil {

+		t.Fatalf("claims RunnerID: %v", err)

+	}

+	if claimRunnerID != runnerID {

+		t.Fatalf("claims runner_id: got %d, want %d", claimRunnerID, runnerID)

+	}

+

+	q := actionsdb.New()

+	job, err := q.GetWorkflowJobByID(ctx, pool, resp.Job.ID)

+	if err != nil {

+		t.Fatalf("GetWorkflowJobByID: %v", err)

+	}

+	if job.Status != actionsdb.WorkflowJobStatusRunning || !job.RunnerID.Valid || job.RunnerID.Int64 != runnerID {

+		t.Fatalf("job not claimed by runner: %+v", job)

+	}

+	run, err := q.GetWorkflowRunByID(ctx, pool, runID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID: %v", err)

+	}

+	if run.Status != actionsdb.WorkflowRunStatusRunning {

+		t.Fatalf("run status: got %s, want running", run.Status)

+	}

+

+	// Capacity is enforced server-side: a second heartbeat from the same

+	// runner sees one running job and receives no additional claim.

+	req = httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat",

+		strings.NewReader(`{"labels":["ubuntu-latest","linux"],"capacity":1}`))

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr = httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusNoContent {

+		t.Fatalf("second heartbeat status: got %d, want 204; body=%s", rr.Code, rr.Body.String())

+	}

+}

+

+func TestRunnerHeartbeatRejectsBadToken(t *testing.T) {

+	pool := dbtest.NewTestDB(t)

+	router := newRunnerAPIRouter(t, pool, slog.New(slog.NewTextHandler(io.Discard, nil)), runnerAPISigner(t, time.Now()))

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/runners/heartbeat", bytes.NewReader([]byte(`{}`)))

+	req.Header.Set("Authorization", "Bearer not-hex")

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusUnauthorized {

+		t.Fatalf("status: got %d, want 401; body=%s", rr.Code, rr.Body.String())

+	}

+}

+

+func newRunnerAPIRouter(t *testing.T, pool *pgxpool.Pool, logger *slog.Logger, signer *runnerjwt.Signer) http.Handler {

+	t.Helper()

+	h, err := apih.New(apih.Deps{

+		Pool:      pool,

+		Logger:    logger,

+		RunnerJWT: signer,

+	})

+	if err != nil {

+		t.Fatalf("api.New: %v", err)

+	}

+	r := chi.NewRouter()

+	h.Mount(r)

+	return r

+}

+

+func setupRunnerAPIRepo(t *testing.T, pool *pgxpool.Pool) (repoID, userID int64) {

+	t.Helper()

+	ctx := context.Background()

+	user, err := usersdb.New().CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username:     "alice",

+		DisplayName:  "Alice",

+		PasswordHash: runnerAPIFixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser: %v", err)

+	}

+	repo, err := reposdb.New().CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: user.ID, Valid: true},

+		Name:          "demo",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo: %v", err)

+	}

+	return repo.ID, user.ID

+}

+

+func enqueueRunnerAPIRun(t *testing.T, pool *pgxpool.Pool, logger *slog.Logger, repoID, userID int64) int64 {

+	t.Helper()

+	wf, diags, err := workflow.Parse([]byte(`name: ci

+on: push

+jobs:

+  build:

+    runs-on: ubuntu-latest

+    steps:

+      - uses: actions/checkout@v4

+      - run: go test ./...

+`))

+	if err != nil {

+		t.Fatalf("workflow.Parse: %v", err)

+	}

+	for _, d := range diags {

+		if d.Severity == workflow.Error {

+			t.Fatalf("workflow diagnostic: %v", d)

+		}

+	}

+	res, err := trigger.Enqueue(context.Background(), trigger.Deps{Pool: pool, Logger: logger}, trigger.EnqueueParams{

+		RepoID:         repoID,

+		WorkflowFile:   ".shithub/workflows/ci.yml",

+		HeadSHA:        strings.Repeat("a", 40),

+		HeadRef:        "refs/heads/trunk",

+		EventKind:      trigger.EventPush,

+		EventPayload:   map[string]any{"ref": "refs/heads/trunk"},

+		ActorUserID:    userID,

+		TriggerEventID: "push:test",

+		Workflow:       wf,

+	})

+	if err != nil {

+		t.Fatalf("trigger.Enqueue: %v", err)

+	}

+	return res.RunID

+}

+

+func registerRunnerForTest(t *testing.T, pool *pgxpool.Pool, labels []string, capacity int32) (token string, runnerID int64) {

+	t.Helper()

+	token, tokenHash, err := runnertoken.New()

+	if err != nil {

+		t.Fatalf("runnertoken.New: %v", err)

+	}

+	q := actionsdb.New()

+	runner, err := q.InsertRunner(context.Background(), pool, actionsdb.InsertRunnerParams{

+		Name:     "runner1",

+		Labels:   labels,

+		Capacity: capacity,

+	})

+	if err != nil {

+		t.Fatalf("InsertRunner: %v", err)

+	}

+	if _, err := q.InsertRunnerToken(context.Background(), pool, actionsdb.InsertRunnerTokenParams{

+		RunnerID:  runner.ID,

+		TokenHash: tokenHash,

+	}); err != nil {

+		t.Fatalf("InsertRunnerToken: %v", err)

+	}

+	return token, runner.ID

+}

+

+func runnerAPISigner(t *testing.T, now time.Time) *runnerjwt.Signer {

+	t.Helper()

+	signer, err := runnerjwt.NewFromKey(

+		bytes.Repeat([]byte{0x7c}, 32),

+		runnerjwt.WithClock(func() time.Time { return now }),

+	)

+	if err != nil {

+		t.Fatalf("runnerjwt.NewFromKey: %v", err)

+	}

+	return signer

+}

+	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"

+		var runnerJWT *runnerjwt.Signer

+		if cfg.Auth.TOTPKeyB64 != "" {

+			runnerJWT, err = runnerjwt.NewFromTOTPKeyB64(cfg.Auth.TOTPKeyB64)

+			if err != nil {

+				return fmt.Errorf("runner jwt: %w", err)

+			}

+		} else {

+			logger.Warn("actions runner API disabled: auth.totp_key_b64 is not configured",

+				"hint", "set SHITHUB_TOTP_KEY=$(openssl rand -base64 32) to enable runner job JWTs")

+		}

+		api, err := buildAPIHandlers(pool, objectStore, runnerJWT, ratelimit.New(pool), logger)