T41: add GitHub runner provider

C33 V74 V76

Author: intel352

Makefile

@@ -1,13 +1,15 @@
 .PHONY: build test install clean
 
 BINARY_NAME = workflow-plugin-github
+PROVIDER_BINARY_NAME = github-runner-provider
 INSTALL_DIR ?= data/plugins/$(BINARY_NAME)
 
 build:
-	GOPRIVATE=github.com/GoCodeAlone/* go build -o bin/$(BINARY_NAME) ./cmd/$(BINARY_NAME)
+	GOWORK=off GOPRIVATE=github.com/GoCodeAlone/* go build -o bin/$(BINARY_NAME) ./cmd/$(BINARY_NAME)
+	GOWORK=off GOPRIVATE=github.com/GoCodeAlone/* go build -o bin/$(PROVIDER_BINARY_NAME) ./cmd/$(PROVIDER_BINARY_NAME)
 
 test:
-	GOPRIVATE=github.com/GoCodeAlone/* go test ./... -v -race
+	GOWORK=off GOPRIVATE=github.com/GoCodeAlone/* go test ./... -v -race
 
 install: build
 	mkdir -p $(DESTDIR)/$(INSTALL_DIR)

README.md

@@ -21,6 +21,36 @@ modules:
 
 The module registers an HTTP handler at `/webhooks/github`. Configure your GitHub repository webhook to point to `https://<host>/webhooks/github`.
 
+### Module: `github.runner_provider`
+
+Provides the GitHub-owned side of the workflow-compute runner provider boundary.
+It mints repository-scoped GitHub Actions runner registration tokens and removes
+runners without exposing GitHub API credentials to workflow-compute.
+
+```yaml
+modules:
+  - name: github-runners
+    type: github.runner_provider
+    config:
+      token: "${GITHUB_TOKEN}"
+      provider_token: "${GITHUB_RUNNER_PROVIDER_TOKEN}"
+      repositories: ["GoCodeAlone/workflow-compute"]
+```
+
+For local proof runs, the repo also builds `github-runner-provider`, a small
+HTTP provider service:
+
+```sh
+GITHUB_TOKEN=... \
+GITHUB_RUNNER_PROVIDER_TOKEN=... \
+GITHUB_RUNNER_PROVIDER_REPOSITORIES=GoCodeAlone/workflow-compute \
+  bin/github-runner-provider 127.0.0.1:8090
+```
+
+workflow-compute should point at that service with
+`COMPUTE_GITHUB_RUNNER_PROVIDER_URL` and
+`COMPUTE_GITHUB_RUNNER_PROVIDER_TOKEN`; it should not receive `GITHUB_TOKEN`.
+
 ### Step: `step.gh_action_trigger`
 
 Triggers a GitHub Actions workflow via `workflow_dispatch`.

cmd/github-runner-provider/main.go

@@ -0,0 +1,57 @@
+// Command github-runner-provider serves the GitHub-owned runner provider API
+// used by workflow-compute without placing GitHub API credentials in compute.
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/GoCodeAlone/workflow-plugin-github/internal"
+)
+
+func main() {
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	if err := run(context.Background(), logger, os.Args[1:]); err != nil {
+		logger.Error("github-runner-provider failed", "error", err)
+		os.Exit(1)
+	}
+}
+
+func run(ctx context.Context, logger *slog.Logger, args []string) error {
+	addr := "127.0.0.1:8090"
+	if len(args) > 0 {
+		addr = args[0]
+	}
+	githubToken := os.Getenv("GITHUB_RUNNER_PROVIDER_GITHUB_TOKEN")
+	if githubToken == "" {
+		githubToken = os.Getenv("GITHUB_TOKEN")
+	}
+	if githubToken == "" {
+		return fmt.Errorf("GITHUB_RUNNER_PROVIDER_GITHUB_TOKEN or GITHUB_TOKEN is required")
+	}
+	providerToken := os.Getenv("GITHUB_RUNNER_PROVIDER_TOKEN")
+	if providerToken == "" {
+		return fmt.Errorf("GITHUB_RUNNER_PROVIDER_TOKEN is required")
+	}
+	handler, err := internal.NewGitHubRunnerProviderHTTPHandler("github-runner-provider", map[string]any{
+		"token":          githubToken,
+		"provider_token": providerToken,
+		"api_base_url":   os.Getenv("GITHUB_API_BASE_URL"),
+		"repositories":   strings.TrimSpace(os.Getenv("GITHUB_RUNNER_PROVIDER_REPOSITORIES")),
+	})
+	if err != nil {
+		return err
+	}
+	server := &http.Server{
+		Addr:              addr,
+		Handler:           handler,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
+	logger.InfoContext(ctx, "starting github-runner-provider", "addr", addr)
+	return server.ListenAndServe()
+}