Merge branch 'main' into dependabot/docker/golang-1.26-alpine

Author: ysyneu

.github/ISSUE_TEMPLATE/bug_report.md

@@ -37,16 +37,16 @@ A clear and concise description of what you expected to happen and what actually
 
 ### Logs
 
-Paste any available logs. Redact sensitive information like API keys.
+Paste any available logs. Redact sensitive information like tokens.
 
 ```
 (paste logs here)
 ```
 
 ### Configuration (if relevant)
 
-```yaml
-# Paste relevant config (redact api_key!)
+```
+# Paste relevant flags/env vars (redact token!)
 ```
 
 ### Additional context

.github/workflows/code-scanning.yml

@@ -33,14 +33,14 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/docker-publish.yml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |

Dockerfile

@@ -2,42 +2,30 @@ FROM golang:1.26-alpine AS build
 ARG VERSION="dev"
 ARG TARGETARCH
 
-# Set the working directory
 WORKDIR /build
 
-# Install git for version info
 RUN --mount=type=cache,target=/var/cache/apk \
     apk add git
 
-# Build the runner
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=bind,target=. \
     CGO_ENABLED=0 GOARCH=${TARGETARCH} go build \
     -ldflags="-s -w -X main.Version=${VERSION} -X main.GitCommit=$(git rev-parse --short HEAD 2>/dev/null || echo unknown) -X main.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
     -o /bin/flashduty-runner ./cmd
 
-# Make a stage to run the app
 FROM gcr.io/distroless/base-debian12
 
-# Set the working directory
 WORKDIR /app
 
-# Copy the binary from the build stage
 COPY --from=build /bin/flashduty-runner .
 
-# Set environment variables
-ENV FLASHDUTY_RUNNER_API_KEY=""
-ENV FLASHDUTY_RUNNER_API_URL="wss://api.flashcat.cloud/runner/ws"
-ENV FLASHDUTY_RUNNER_NAME=""
-ENV FLASHDUTY_RUNNER_WORKSPACE_ROOT="/workspace"
-ENV FLASHDUTY_RUNNER_AUTO_UPDATE="false"
+ENV FLASHDUTY_RUNNER_TOKEN=""
+ENV FLASHDUTY_RUNNER_URL="wss://api.flashcat.cloud/safari/worknode/ws"
+ENV FLASHDUTY_RUNNER_WORKSPACE="/workspace"
+ENV FLASHDUTY_RUNNER_LOG_LEVEL="info"
 
-# Create workspace directory
 VOLUME ["/workspace"]
 
-# Set the entrypoint
 ENTRYPOINT ["/app/flashduty-runner"]
-
-# Default command
 CMD ["run"]

README.md

@@ -40,7 +40,7 @@ The runner establishes a persistent WebSocket connection to Flashduty cloud, rec
 
 | Layer | Protection |
 |-------|------------|
-| **Transport** | TLS-encrypted WebSocket, API Key authentication |
+| **Transport** | TLS-encrypted WebSocket, token authentication |
 | **Command Execution** | Shell parsing to prevent injection attacks (e.g., `cmd1; cmd2`) |
 | **Permission Control** | Configurable glob-based command whitelist/blacklist |
 | **File System** | Operations sandboxed to workspace root, symlink escape protection |
@@ -127,48 +127,30 @@ sudo mv flashduty-runner /usr/local/bin/
 ```bash
 docker run -d \
   --name flashduty-runner \
-  -e FLASHDUTY_RUNNER_API_KEY=your_api_key \
-  -e FLASHDUTY_RUNNER_NAME=my-runner \
+  -e FLASHDUTY_RUNNER_TOKEN=ent_xxx \
   -v /var/flashduty/workspace:/workspace \
-  ghcr.io/flashcatcloud/flashduty-runner:latest
-```
-
-### Configuration
-
-Create `~/.flashduty-runner/config.yaml`:
-
-```yaml
-# API Key from Flashduty Console (required)
-api_key: "fk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-# Runner display name (optional, defaults to hostname)
-name: "prod-k8s-runner"
-
-# Labels for task routing (optional)
-labels:
-  - k8s
-  - production
-
-# Workspace root directory (optional)
-workspace_root: "/var/flashduty/workspace"
+  registry.flashcat.cloud/public/flashduty-runner:latest
 
-# Command permissions (see Security section for options)
-permission:
-  bash:
-    "*": "deny"
-    "kubectl get *": "allow"
-    "kubectl describe *": "allow"
-    "kubectl logs *": "allow"
+# With custom endpoint
+docker run -d \
+  --name flashduty-runner \
+  -e FLASHDUTY_RUNNER_TOKEN=ent_xxx \
+  -e FLASHDUTY_RUNNER_URL=wss://custom.example.com/safari/environment/ws \
+  -v /var/flashduty/workspace:/workspace \
+  registry.flashcat.cloud/public/flashduty-runner:latest
 ```
 
 ### Running
 
 ```bash
-# Start the runner
-flashduty-runner run
+# Basic usage (token required)
+flashduty-runner run --token ent_xxx
+
+# Specify workspace directory
+flashduty-runner run --token ent_xxx --workspace ~/projects
 
-# Start with custom config
-flashduty-runner run --config /path/to/config.yaml
+# Specify custom WebSocket endpoint
+flashduty-runner run --token ent_xxx --url wss://custom.example.com/safari/environment/ws
 
 # Check version
 flashduty-runner version
@@ -186,6 +168,7 @@ After=network.target
 [Service]
 Type=simple
 User=flashduty
+EnvironmentFile=/etc/flashduty-runner/env
 ExecStart=/usr/local/bin/flashduty-runner run
 Restart=always
 RestartSec=5
@@ -194,40 +177,31 @@ RestartSec=5
 WantedBy=multi-user.target
 ```
 
+Create `/etc/flashduty-runner/env`:
+
 ```bash
-sudo systemctl daemon-reload
-sudo systemctl enable --now flashduty-runner
+FLASHDUTY_RUNNER_TOKEN=ent_xxx
+# FLASHDUTY_RUNNER_URL=wss://custom.example.com/safari/environment/ws
+# FLASHDUTY_RUNNER_WORKSPACE=/var/flashduty/workspace
 ```
 
-## Configuration Reference
-
-| Field | Required | Default | Description |
-|-------|----------|---------|-------------|
-| `api_key` | Yes | - | Flashduty API Key |
-| `api_url` | No | `wss://api.flashcat.cloud/runner/ws` | WebSocket endpoint |
-| `name` | No | hostname | Runner display name |
-| `labels` | No | [] | Labels for task routing |
-| `workspace_root` | No | `~/.flashduty-runner/workspace` | Workspace directory |
-| `permission.bash` | No | deny all | Command permission rules |
-| `log.level` | No | `info` | Log level: debug, info, warn, error |
-
-### Environment Variables
-
-All options can be set via environment variables with `FLASHDUTY_RUNNER_` prefix:
-
 ```bash
-FLASHDUTY_RUNNER_API_KEY=fk_xxx
-FLASHDUTY_RUNNER_NAME=my-runner
-FLASHDUTY_RUNNER_WORKSPACE_ROOT=/workspace
+sudo mkdir -p /etc/flashduty-runner
+sudo vim /etc/flashduty-runner/env   # add your token
+sudo systemctl daemon-reload
+sudo systemctl enable --now flashduty-runner
 ```
 
-### Built-in Labels
+## Configuration Reference
 
-The runner automatically adds these labels for routing:
+Configuration is via command-line flags or environment variables (flags take precedence).
 
-- `os:linux` / `os:darwin` / `os:windows`
-- `arch:amd64` / `arch:arm64`
-- `hostname:<machine-hostname>`
+| Flag | Env Variable | Required | Default | Description |
+|------|-------------|----------|---------|-------------|
+| `--token` | `FLASHDUTY_RUNNER_TOKEN` | Yes | - | Authentication token |
+| `--url` | `FLASHDUTY_RUNNER_URL` | No | `wss://api.flashcat.cloud/safari/environment/ws` | WebSocket endpoint |
+| `--workspace` | `FLASHDUTY_RUNNER_WORKSPACE` | No | `~/.flashduty-runner/workspace` | Workspace root directory |
+| `--log-level` | `FLASHDUTY_RUNNER_LOG_LEVEL` | No | `info` | Log level: debug, info, warn, error |
 
 ## Troubleshooting
 
@@ -236,8 +210,8 @@ The runner automatically adds these labels for routing:
 | Symptom | Cause | Solution |
 |---------|-------|----------|
 | `failed to connect` | Network issue | Check firewall allows outbound port 443 |
-| `authentication failed` | Invalid API Key | Verify API Key in Flashduty console |
-| Runner not showing online | Connection dropped | Check logs, verify API Key matches account |
+| `authentication failed` | Invalid token | Verify token in Flashduty console |
+| Runner not showing online | Connection dropped | Check logs, verify token matches account |
 
 ```bash
 # Test connectivity
@@ -263,9 +237,11 @@ journalctl -u flashduty-runner -f
 
 Enable debug logging to see detailed permission decisions:
 
-```yaml
-log:
-  level: "debug"
+```bash
+flashduty-runner run --token ent_xxx --log-level debug
+
+# Or via environment variable
+export FLASHDUTY_RUNNER_LOG_LEVEL=debug
 ```
 
 ## Contributing