connect using job url and cleanup

Author: rentziass

package.json

@@ -110,7 +110,7 @@
       {
         "command": "github-actions.debugger.connect",
         "category": "GitHub Actions",
-        "title": "Connect to Actions Job Debugger..."
+        "title": "Debug Running Job…"
       },
       {
         "command": "github-actions.explorer.refresh",

src/debugger/debugger.ts

@@ -1,73 +1,61 @@
 import * as crypto from "crypto";
 import * as vscode from "vscode";
+import {getClient} from "../api/api";
 import {getSession, newSession} from "../auth/auth";
+import {getGitHubApiUri} from "../configuration/configuration";
 import {log, logDebug, logError} from "../log";
+import {parseJobUrl} from "./jobUrl";
 import {validateTunnelUrl} from "./tunnelUrl";
 import {WebSocketDapAdapter} from "./webSocketDapAdapter";
 
-/** The custom debug type registered in package.json contributes.debuggers. */
 export const DEBUG_TYPE = "github-actions-job";
 
 /**
- * Extension-private store for auth tokens, keyed by a one-time session
- * nonce. Tokens are never placed in DebugConfiguration (which is readable
- * by other extensions via vscode.debug.activeDebugSession.configuration).
+ * Extension-private token store keyed by one-time nonce. Tokens are never
+ * placed in DebugConfiguration (readable by other extensions).
  */
 const pendingTokens = new Map<string, string>();
 
-/**
- * Registers the Actions Job Debugger command and debug adapter factory.
- *
- * Contributes:
- * - A command-palette command that prompts for a tunnel URL and starts a debug session.
- * - A DebugAdapterDescriptorFactory that returns an inline DAP-over-WS adapter.
- */
 export function registerDebugger(context: vscode.ExtensionContext): void {
-  // Register the inline adapter factory for our debug type.
   context.subscriptions.push(
     vscode.debug.registerDebugAdapterDescriptorFactory(DEBUG_TYPE, new ActionsDebugAdapterFactory())
   );
 
-  // Register a tracker to log all DAP traffic for diagnostics.
   context.subscriptions.push(
     vscode.debug.registerDebugAdapterTrackerFactory(DEBUG_TYPE, new ActionsDebugTrackerFactory())
   );
 
-  // Register the connect command.
   context.subscriptions.push(
     vscode.commands.registerCommand("github-actions.debugger.connect", () => connectToDebugger())
   );
 }
 
 async function connectToDebugger(): Promise<void> {
-  // 1. Prompt for the tunnel URL.
   const rawUrl = await vscode.window.showInputBox({
     title: "Connect to Actions Job Debugger",
-    prompt: "Enter the debugger tunnel URL (wss://…)",
-    placeHolder: "wss://xxxx-4711.region.devtunnels.ms/",
+    prompt: "Paste the URL of the Actions job to debug",
+    placeHolder: "https://github.com/owner/repo/actions/runs/123/job/456",
     ignoreFocusOut: true,
     validateInput: input => {
       if (!input) {
-        return "A tunnel URL is required";
+        return "A job URL is required";
       }
-      const result = validateTunnelUrl(input);
+      const result = parseJobUrl(input, getGitHubApiUri());
       return result.valid ? null : result.reason;
     }
   });
 
   if (!rawUrl) {
-    return; // user cancelled
+    return;
   }
 
-  const validation = validateTunnelUrl(rawUrl);
-  if (!validation.valid) {
-    void vscode.window.showErrorMessage(`Invalid tunnel URL: ${validation.reason}`);
+  const parsed = parseJobUrl(rawUrl, getGitHubApiUri());
+  if (!parsed.valid) {
+    void vscode.window.showErrorMessage(`Invalid job URL: ${parsed.reason}`);
     return;
   }
 
-  // 2. Acquire a GitHub auth session. The token is used as a Bearer token
-  //    against the Dev Tunnel relay, which accepts VS Code's GitHub app tokens.
-  //    Try silently first; fall back to prompting for sign-in if needed.
+  // Try silently first; fall back to prompting for sign-in if needed.
   let session = await getSession();
   if (!session) {
     try {
@@ -80,10 +68,48 @@ async function connectToDebugger(): Promise<void> {
     }
   }
 
-  // 3. Launch the debug session. The token is stored in extension-private
-  //    memory (not in the configuration) to avoid exposing it to other extensions.
+  const token = session.accessToken;
+  let debuggerUrl: string;
+  try {
+    debuggerUrl = await vscode.window.withProgress(
+      {location: vscode.ProgressLocation.Notification, title: "Connecting to Actions job debugger…"},
+      async () => {
+        const octokit = getClient(token);
+        const response = await octokit.request("GET /repos/{owner}/{repo}/actions/jobs/{job_id}/debugger", {
+          owner: parsed.owner,
+          repo: parsed.repo,
+          job_id: parsed.jobId
+        });
+        return (response.data as {debugger_url: string}).debugger_url;
+      }
+    );
+  } catch (e) {
+    const status = (e as {status?: number}).status;
+    if (status === 404) {
+      void vscode.window.showErrorMessage(
+        "Debugger is not available for this job. Make sure the job is running with debugging enabled."
+      );
+    } else if (status === 403) {
+      void vscode.window.showErrorMessage(
+        "Permission denied. You may need to re-authenticate or check your access to this repository."
+      );
+    } else {
+      const msg = (e as Error).message || "Unknown error";
+      void vscode.window.showErrorMessage(`Failed to fetch debugger URL: ${msg}`);
+    }
+    return;
+  }
+
+  const validation = validateTunnelUrl(debuggerUrl);
+  if (!validation.valid) {
+    void vscode.window.showErrorMessage(`Invalid debugger URL returned by API: ${validation.reason}`);
+    return;
+  }
+
+  // Store token in extension-private memory (not in the config) to avoid
+  // exposing it to other extensions.
   const nonce = crypto.randomBytes(16).toString("hex");
-  pendingTokens.set(nonce, session.accessToken);
+  pendingTokens.set(nonce, token);
 
   const config: vscode.DebugConfiguration = {
     type: DEBUG_TYPE,
@@ -114,7 +140,7 @@ class ActionsDebugAdapterFactory implements vscode.DebugAdapterDescriptorFactory
     const nonce = session.configuration.__tokenNonce as string | undefined;
     const token = nonce ? pendingTokens.get(nonce) : undefined;
 
-    // Consume the token immediately so it cannot be replayed.
+    // Consume immediately so it cannot be replayed.
     if (nonce) {
       pendingTokens.delete(nonce);
     }
@@ -125,7 +151,6 @@ class ActionsDebugAdapterFactory implements vscode.DebugAdapterDescriptorFactory
       );
     }
 
-    // Re-validate the tunnel URL as defense-in-depth
     const revalidation = validateTunnelUrl(tunnelUrl);
     if (!revalidation.valid) {
       throw new Error(`Invalid debugger tunnel URL: ${revalidation.reason}`);

src/debugger/jobUrl.test.ts

@@ -0,0 +1,133 @@
+import {parseJobUrl, getExpectedWebHost} from "./jobUrl";
+
+const GITHUB_API_URI = "https://api.github.com";
+
+describe("getExpectedWebHost", () => {
+  it("maps api.github.com to github.com", () => {
+    expect(getExpectedWebHost("https://api.github.com")).toBe("github.com");
+  });
+
+  it("maps GHE Server api/v3 URL to the server host", () => {
+    expect(getExpectedWebHost("https://github.mycompany.com/api/v3")).toBe("github.mycompany.com");
+  });
+
+  it("maps GHE Cloud api.<org>.ghe.com to <org>.ghe.com", () => {
+    expect(getExpectedWebHost("https://api.myorg.ghe.com")).toBe("myorg.ghe.com");
+  });
+
+  it("handles trailing slash on /api/v3/", () => {
+    expect(getExpectedWebHost("https://github.mycompany.com/api/v3/")).toBe("github.mycompany.com");
+  });
+});
+
+describe("parseJobUrl", () => {
+  it("accepts a valid github.com job URL", () => {
+    const result = parseJobUrl(
+      "https://github.com/galactic-potatoes/rentziass-test/actions/runs/24241071410/job/70775904678",
+      GITHUB_API_URI
+    );
+    expect(result).toEqual({valid: true, owner: "galactic-potatoes", repo: "rentziass-test", jobId: "70775904678"});
+  });
+
+  it("accepts a valid URL with trailing slash", () => {
+    const result = parseJobUrl(
+      "https://github.com/owner/repo/actions/runs/111/job/222/",
+      GITHUB_API_URI
+    );
+    expect(result).toEqual({valid: true, owner: "owner", repo: "repo", jobId: "222"});
+  });
+
+  it("ignores query string and hash", () => {
+    const result = parseJobUrl(
+      "https://github.com/owner/repo/actions/runs/111/job/222?pr=1#step:2:3",
+      GITHUB_API_URI
+    );
+    expect(result).toEqual({valid: true, owner: "owner", repo: "repo", jobId: "222"});
+  });
+
+  it("rejects wrong host", () => {
+    const result = parseJobUrl(
+      "https://gitlab.com/owner/repo/actions/runs/111/job/222",
+      GITHUB_API_URI
+    );
+    expect(result.valid).toBe(false);
+    if (!result.valid) {
+      expect(result.reason).toContain("gitlab.com");
+    }
+  });
+
+  it("rejects http:// scheme", () => {
+    const result = parseJobUrl(
+      "http://github.com/owner/repo/actions/runs/111/job/222",
+      GITHUB_API_URI
+    );
+    expect(result.valid).toBe(false);
+    if (!result.valid) {
+      expect(result.reason).toContain("https://");
+    }
+  });
+
+  it("rejects a repo URL without /job/ segment", () => {
+    const result = parseJobUrl("https://github.com/owner/repo", GITHUB_API_URI);
+    expect(result.valid).toBe(false);
+    if (!result.valid) {
+      expect(result.reason).toContain("job URL");
+    }
+  });
+
+  it("rejects a run URL without /job/ segment", () => {
+    const result = parseJobUrl("https://github.com/owner/repo/actions/runs/111", GITHUB_API_URI);
+    expect(result.valid).toBe(false);
+    if (!result.valid) {
+      expect(result.reason).toContain("job URL");
+    }
+  });
+
+  it("rejects empty string", () => {
+    const result = parseJobUrl("", GITHUB_API_URI);
+    expect(result.valid).toBe(false);
+  });
+
+  it("rejects malformed URL", () => {
+    const result = parseJobUrl("not a url at all", GITHUB_API_URI);
+    expect(result.valid).toBe(false);
+    if (!result.valid) {
+      expect(result.reason).toContain("Invalid URL");
+    }
+  });
+
+  it("rejects URL with credentials", () => {
+    const result = parseJobUrl(
+      "https://user:pass@github.com/owner/repo/actions/runs/111/job/222",
+      GITHUB_API_URI
+    );
+    expect(result.valid).toBe(false);
+    if (!result.valid) {
+      expect(result.reason).toContain("Credentials");
+    }
+  });
+
+  it("accepts non-numeric job ID", () => {
+    const result = parseJobUrl(
+      "https://github.com/owner/repo/actions/runs/111/job/abc-123",
+      GITHUB_API_URI
+    );
+    expect(result).toEqual({valid: true, owner: "owner", repo: "repo", jobId: "abc-123"});
+  });
+
+  it("accepts plural /jobs/ path variant", () => {
+    const result = parseJobUrl(
+      "https://github.com/owner/repo/actions/runs/111/jobs/222",
+      GITHUB_API_URI
+    );
+    expect(result).toEqual({valid: true, owner: "owner", repo: "repo", jobId: "222"});
+  });
+
+  it("validates against GHE Server host", () => {
+    const result = parseJobUrl(
+      "https://github.mycompany.com/owner/repo/actions/runs/111/job/222",
+      "https://github.mycompany.com/api/v3"
+    );
+    expect(result).toEqual({valid: true, owner: "owner", repo: "repo", jobId: "222"});
+  });
+});

src/debugger/jobUrl.ts

@@ -0,0 +1,56 @@
+type ParseResult = {valid: true; owner: string; repo: string; jobId: string} | {valid: false; reason: string};
+
+/**
+ * Derives the expected web host from the configured GitHub API URI.
+ *
+ *   https://api.github.com        → github.com
+ *   https://api.myorg.ghe.com     → myorg.ghe.com   (GHE Cloud)
+ *   https://myserver.com/api/v3   → myserver.com     (GHE Server)
+ */
+export function getExpectedWebHost(apiUri: string): string {
+  const url = new URL(apiUri);
+  // GHE Server: host/api/v3
+  if (url.pathname.replace(/\/$/, "") === "/api/v3") {
+    return url.hostname;
+  }
+  // github.com or GHE Cloud (api.<org>.ghe.com): strip leading "api."
+  if (url.hostname.startsWith("api.")) {
+    return url.hostname.slice(4);
+  }
+  return url.hostname;
+}
+
+const JOB_PATH_RE = /^\/([^/]+)\/([^/]+)\/actions\/runs\/[^/]+\/jobs?\/([^/]+)\/?$/;
+
+// Expected format: https://github.com/{owner}/{repo}/actions/runs/{runId}/job/{jobId}
+export function parseJobUrl(raw: string, apiUri: string): ParseResult {
+  let parsed: URL;
+  try {
+    parsed = new URL(raw);
+  } catch {
+    return {valid: false, reason: "Invalid URL format"};
+  }
+
+  if (parsed.protocol !== "https:") {
+    return {valid: false, reason: "URL must use https:// scheme"};
+  }
+
+  if (parsed.username || parsed.password) {
+    return {valid: false, reason: "Credentials in URL are not allowed"};
+  }
+
+  const expectedHost = getExpectedWebHost(apiUri);
+  if (parsed.hostname !== expectedHost) {
+    return {valid: false, reason: `Expected host "${expectedHost}", got "${parsed.hostname}"`};
+  }
+
+  const match = JOB_PATH_RE.exec(parsed.pathname);
+  if (!match) {
+    return {
+      valid: false,
+      reason: "URL must be a GitHub Actions job URL (…/{owner}/{repo}/actions/runs/{runId}/job/{jobId})"
+    };
+  }
+
+  return {valid: true, owner: match[1], repo: match[2], jobId: match[3]};
+}

src/debugger/tunnelUrl.ts

@@ -4,13 +4,6 @@
  */
 const ALLOWED_TUNNEL_HOST_PATTERN = /\.devtunnels\.ms$/;
 
-/**
- * Validates a Dev Tunnel websocket URL for the Actions job debugger.
- *
- * Requirements:
- *   - Must use wss:// (cleartext ws:// is rejected to protect the auth token)
- *   - Host must match an allowed tunnel domain (*.devtunnels.ms)
- */
 export function validateTunnelUrl(raw: string): {valid: true; url: string} | {valid: false; reason: string} {
   let parsed: URL;
   try {