diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 00:18:12 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 00:18:12 +0300 |
| commit | 6aa6d83cdd95e514f0fa06258a8c1ba298a5dfd8 (patch) | |
| tree | 81a98f1606b3bb7f744e925e5ce1188e3be06a8b /docs/_static/css/code-snippets.css | |
| parent | d15e22a0bbd12b457f0d12d20e58e702c19302b7 (diff) | |
| download | vyos-documentation-6aa6d83cdd95e514f0fa06258a8c1ba298a5dfd8.tar.gz vyos-documentation-6aa6d83cdd95e514f0fa06258a8c1ba298a5dfd8.zip | |
ci(ai-validation): switch to GitHub-hosted ubuntu-latest runners
The `vyos` org does not have self-hosted runners labeled `web` (those
live in the VyOS-Networks org pool and only serve repos there). Every
AI Validation run queued since #1947 merged sat in `queued` state
indefinitely with no runner picking it up — observed across all recent
PRs (#1955 mergify backports, #1956, plus several yuriy/* branches).
Switching both `prepare` and `validate` jobs to `runs-on: ubuntu-latest`:
* Removes the host-isolation half of the prepare-job rationale comment
and replaces it with the ephemeral-VM rationale (cross-run state
leakage is impossible on a fresh GitHub-hosted VM).
* Removes both `atos-actions/clean-self-hosted-runner` cleanup steps —
GitHub-hosted runners are ephemeral, the action is a no-op there at
best and a failure mode at worst (it expects self-hosted workspace
patterns that don't exist on hosted runners).
* Tweaks one comment that mentioned `/proc/<pid>/cmdline on the self-
hosted runner` to be runner-agnostic.
Also removes `.github/actionlint.yaml`. It was added in #1947 to silence
actionlint's "label 'web' is unknown" false positive — with no workflow
in this repo now using `[self-hosted, web]`, the file is dead code.
The canonical reference at `VyOS-Networks/vyos-docs-opus-reviewer/scripts/
ai-validation.yml` intentionally diverges: that repo IS in VyOS-Networks
and has access to the `web` self-hosted pool, so its canonical keeps
`runs-on: [self-hosted, web]` and the cleanup steps. The deployed
file's REFERENCE COPY header comment block in the reviewer repo will be
updated in a follow-up to note that the deployed file may use different
runners per host repo's pool availability.
No security regression — the trust boundary on prepare is enforced by
no-fork-code-execution, no-secrets-referenced, persist-credentials:false,
and the split-job artifact, all of which are unchanged. Adds the implicit
host-ephemerality guarantee of GitHub-hosted runners.
Diffstat (limited to 'docs/_static/css/code-snippets.css')
0 files changed, 0 insertions, 0 deletions
