ci(actions): route PR checks to self-hosted runner#3986
Conversation
- move core PR validation workflows from GitHub-hosted runners to self-hosted - align cross-platform check with the available Linux self-hosted runner - fix check_build_test needs references and refresh setup-node action
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
There was a problem hiding this comment.
Pull request overview
Routes the repository’s PR validation workflows away from GitHub-hosted runners and onto the repository’s self-hosted runner so PR checks can run with the currently available runner footprint.
Changes:
- Switched multiple PR/push workflows from
ubuntu-latest/larger-runner/macos-latesttoself-hosted. - Simplified cross-platform checks to Linux-only and hard-coded Linux OpenSSL env paths accordingly.
- Updated Node setup in the SDK/Web test job to
actions/setup-node@v4and correctedneedsusage by includingcheck_changes.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validation.yml | Routes validation jobs (Dockerfile checks, ShellCheck, Homebrew audit) to the self-hosted runner. |
| .github/workflows/quick_checks.yml | Routes quick PR checks (fmt/license/move constants) to the self-hosted runner. |
| .github/workflows/dependency-review.yml | Routes dependency review job to the self-hosted runner. |
| .github/workflows/cross_platform_check.yml | Removes macOS from the matrix; aligns build/env setup to a Linux self-hosted target. |
| .github/workflows/codeql.yml | Routes CodeQL scanning job to the self-hosted runner. |
| .github/workflows/check_build_test.yml | Routes the main build/test pipeline to self-hosted; fixes needs for check_changes; updates setup-node to v4. |
| .github/workflows/cancel.yml | Routes workflow cancellation job to the self-hosted runner. |
| @@ -28,7 +28,7 @@ jobs: | |||
| # Phase 1: Check changes | |||
| check_changes: | |||
| name: Check Changes | |||
There was a problem hiding this comment.
These workflows run on pull_request events, and switching to a generic runs-on: self-hosted means untrusted PR code will execute on your self-hosted infrastructure. If this repo accepts PRs from forks/external contributors, consider restricting self-hosted execution (e.g., only when github.event.pull_request.head.repo.fork == false / same-repo PRs) or routing fork PRs to a hardened/ephemeral runner label dedicated to untrusted workloads.
| name: Check Changes | |
| name: Check Changes | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false |
| matrix: | ||
| include: | ||
| - os: ubuntu-latest | ||
| - os: self-hosted | ||
| target: x86_64-unknown-linux-gnu | ||
| - os: macos-latest | ||
| target: aarch64-apple-darwin | ||
| # Temporarily disable Windows due to libgit2_sys linking issues with Rust 1.91 |
There was a problem hiding this comment.
os: self-hosted in the matrix is not an OS selector; it can match any self-hosted runner (including non-Linux). Several steps/env blocks assume Linux (apt-get, /usr/lib/x86_64-linux-gnu, etc.), so this can mis-schedule or break if additional self-hosted runners exist. Consider using runner labels that pin the platform/arch (e.g., [self-hosted, linux, x64]) or split the matrix into separate runner vs platform keys and gate steps on the platform key.
| # - https://gh.io/using-larger-runners (GitHub.com only) | ||
| # Consider using larger runners or machines with greater resources for possible analysis time improvements. | ||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| runs-on: self-hosted |
There was a problem hiding this comment.
Running CodeQL on pull_request using a generic self-hosted runner has two practical risks: (1) it executes PR-controlled code/tools on your self-hosted machine, and (2) CodeQL analyses can be long-running and may monopolize the shared runner used for core CI. Consider targeting a dedicated, isolated runner label/runner group for CodeQL (separate from PR validation), or gating self-hosted usage to trusted branches/PRs only.
| runs-on: self-hosted | |
| runs-on: ubuntu-latest |
| pull-requests: write | ||
|
|
||
| jobs: | ||
| dependency-review: |
There was a problem hiding this comment.
This workflow is triggered by pull_request and now runs on self-hosted. Dependency review checks PR-provided manifests and can be triggered by forks; running it on a general-purpose self-hosted runner increases exposure of the runner to untrusted inputs. Consider restricting to same-repo PRs or using a hardened/ephemeral runner label dedicated to untrusted PR workflows.
| dependency-review: | |
| dependency-review: | |
| if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} |
| jobs: | ||
| check_validation_changes: | ||
| name: Check Validation Changes | ||
| runs-on: ubuntu-latest | ||
| runs-on: self-hosted | ||
| outputs: |
There was a problem hiding this comment.
These jobs run Docker builds on pull_request events and now execute on the shared self-hosted runner. Docker builds for untrusted PRs are a common escalation path on self-hosted runners (e.g., via mounting the Docker socket or abusing build context); please ensure the runner is isolated/ephemeral or restrict these jobs to trusted PRs only (same-repo, label-gated, etc.).
| cancel: | ||
| name: 'Cancel Previous Runs' | ||
| runs-on: ubuntu-latest | ||
| runs-on: self-hosted |
There was a problem hiding this comment.
The cancel job is lightweight but now consumes the self-hosted runner. If the self-hosted runner is a constrained resource for build/test jobs, this can add queueing delays. Consider running cancellation on a separate lightweight runner label/runner group so it doesn't contend with core CI.
| runs-on: self-hosted | |
| runs-on: ubuntu-latest |
| quick_checks: | ||
| name: Quick Checks | ||
| runs-on: ubuntu-latest | ||
| runs-on: self-hosted |
There was a problem hiding this comment.
This workflow is intended to be a fast PR gate, but running it on the shared self-hosted runner means it competes with heavier build/test jobs for the same capacity. If runner throughput is a concern, consider targeting a separate lightweight runner label/runner group for quick checks (or keeping it on a GitHub-hosted runner if those are available in this environment).
| runs-on: self-hosted | |
| runs-on: ubuntu-latest |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned Files
|
Summary
needs.check_changesreferences and updateactions/setup-nodeWhy
The repository's Dependabot and normal PR checks were still targeting GitHub-hosted runners (
ubuntu-latest,macos-latest,larger-runner). With the current runner setup, those jobs fail before executing useful work. This change points the main PR validation path at the repository's active self-hosted runner so dependency PRs like #3985 can be evaluated again.Testing
actionlinton updated workflows