Skip to content

fix(runners): restore project runners list endpoint#3909

Open
cursor[bot] wants to merge 1 commit into
developfrom
cursor/critical-bug-investigation-578a
Open

fix(runners): restore project runners list endpoint#3909
cursor[bot] wants to merge 1 commit into
developfrom
cursor/critical-bug-investigation-578a

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor Bot commented Jun 1, 2026

Bug and impact

Commit ff963e7d (fix(runners): do not include inactive global runners to endpoint /project/runners) accidentally replaced the entire GetRunners handler with []any{}. The /api/project/{project_id}/runners endpoint always returned an empty list, so project runner management in the UI was completely broken for all users.

Root cause

The intended change was to exclude inactive global runners from the merged project/global runner list. Instead, the handler body was removed and replaced with a hard-coded empty response.

Fix

  • Restore fetching project runners via store.GetRunners
  • Merge active global runners that have tags (per API docs), excluding inactive globals
  • Add mergeProjectRunnersList unit test

Validation

  • go test ./api/projects/... in the pro module (passes)
Open in Web View Automation 

@cursoragent @fiftin
fix(runners): restore project runners list endpoint
d51b236 
Commit ff963e7 accidentally replaced GetRunners with an empty array,
breaking the /project/{id}/runners API for all users.

Restore fetching project runners and merge active tagged global runners,
excluding inactive global runners as originally intended.

Co-authored-by: Denis Gukov <fiftin@outlook.com>
@fiftin fiftin marked this pull request as ready for review June 1, 2026 17:29
cursor[bot]
cursor Bot commented Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security review

Outcome: No medium, high, or critical vulnerabilities found in this PR.

Scope reviewed

  • pro/api/projects/runners.go — restored GetRunners and mergeProjectRunnersList
  • pro/api/projects/runners_test.go — unit test for merge logic
  • pro/go.mod — test dependency only

Prior automation threads

No unresolved security-review threads were present on this PR.

Analysis

Authentication / authorization

  • GET /api/project/{project_id}/runners remains behind authenticatedAPI, ProjectMiddleware, and GetMustCanMiddleware(db.CanManageProjectResources) (api/router.go). Callers must be project members with resource-management permission; project_id comes from the route and is validated in middleware, not from request body input.

Sensitive fields

  • db.Runner omits token and public_key from JSON (json:"-"). The response exposes metadata (name, tags, webhook, activity) consistent with the existing admin runners API and the project runners UI.

Global runner merge

  • Listing active tagged global runners alongside project runners matches the tagged-global-runner feature (#3804) and what the project Runners UI expects. Inactive and untagged globals are filtered in mergeProjectRunnersList. This is a functional restore after commit ff963e7d accidentally returned []; it is not an auth bypass for create/update/delete (those handlers still return 404 in pro).

Injection / other classes

  • No user-controlled strings reach SQL or shell sinks in the changed code; store calls use typed parameters and server-side project.ID.

Slack summary

PR #3909 security review: clean — no medium+ issues. Restores project runner listing with intended global-runner merge; auth and secret redaction look sound.

Open in Web View Automation 

Sent by Cursor Automation: Find vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent