diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-10 23:17:57 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-10 23:17:57 +0300 |
| commit | 6a4a23e617e59aa6ed8ec6ab72bb1675f57e8741 (patch) | |
| tree | 9a2a2361bc669758a8570f4a635a283a2aa6208e /docs | |
| parent | a187cf9081edc3bc1bc06f4f441192976c4ee383 (diff) | |
| download | vyos-documentation-6a4a23e617e59aa6ed8ec6ab72bb1675f57e8741.tar.gz vyos-documentation-6a4a23e617e59aa6ed8ec6ab72bb1675f57e8741.zip | |
Revert "ci: prepare on GitHub-hosted ubuntu" — Debian self-hosted only
User direction: GitHub-hosted ubuntu-latest is not available in this
environment. The runner pool is Debian 12 self-hosted (web-runner-01,
web-runner-02). prepare must run there too.
Pushing back on Copilot's defense-in-depth finding (line 35) with
explicit threat-model reasoning documented in the workflow comment:
- prepare does not execute fork code. Only git fetch / git diff /
git show / file reads. No pip install, no npm install, no build,
no test. Adding any of these would require a deliberate code
change in this file that a reviewer must approve.
- No secrets are referenced in prepare. Even a presence-check would
leak the value into the runner environment.
- persist-credentials: false on the merge-ref checkout keeps the
default GITHUB_TOKEN out of fork-readable .git/config.
- The atos-actions/clean-self-hosted-runner step (`if: always()`)
wipes the workspace after every job regardless of exit state.
The split-job artifact still bridges the trust boundary to validate.
validate remains the only place where secrets are referenced.
The skip-notice `gh pr comment` step from a22df7d is preserved —
that's an independent discoverability improvement.
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs')
0 files changed, 0 insertions, 0 deletions
