From 6a4a23e617e59aa6ed8ec6ab72bb1675f57e8741 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Sun, 10 May 2026 23:17:57 +0300 Subject: Revert "ci: prepare on GitHub-hosted ubuntu" — Debian self-hosted only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit User direction: GitHub-hosted ubuntu-latest is not available in this environment. The runner pool is Debian 12 self-hosted (web-runner-01, web-runner-02). prepare must run there too. Pushing back on Copilot's defense-in-depth finding (line 35) with explicit threat-model reasoning documented in the workflow comment: - prepare does not execute fork code. Only git fetch / git diff / git show / file reads. No pip install, no npm install, no build, no test. Adding any of these would require a deliberate code change in this file that a reviewer must approve. - No secrets are referenced in prepare. Even a presence-check would leak the value into the runner environment. - persist-credentials: false on the merge-ref checkout keeps the default GITHUB_TOKEN out of fork-readable .git/config. - The atos-actions/clean-self-hosted-runner step (`if: always()`) wipes the workspace after every job regardless of exit state. The split-job artifact still bridges the trust boundary to validate. validate remains the only place where secrets are referenced. The skip-notice `gh pr comment` step from a22df7d is preserved — that's an independent discoverability improvement. 🤖 Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 5d1ecf2b..19ebd9f6 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -25,17 +25,28 @@ jobs: # expanding the attack surface to any future shell change in this job. # The validate job below performs the secrets-availability check and # skips with a notice if any are missing. - # Untrusted prepare runs on GitHub-hosted ubuntu-latest, NOT the - # self-hosted web pool. Even though this job doesn't execute fork code - # (it only does git diff / git show / file reads — never pip install, - # npm install, build, or tests), GitHub-hosted runners are ephemeral - # and isolated, so a future maintainer who adds a build step to prepare - # cannot accidentally turn it into an attack vector against internal - # network services or persist state across runs on the self-hosted - # host. The trusted validate job below stays on self-hosted web; the - # split-job artifact bridges the trust boundary. + # Untrusted prepare runs on the same self-hosted Debian 12 pool as + # validate. GitHub-hosted ubuntu-latest is not available in this + # environment. The trust boundary on prepare is enforced WITHOUT host + # isolation: + # - No fork code is executed: prepare only does + # git fetch / git diff / git show / file reads. + # There is no `pip install` from the fork, no `npm install`, no + # build/test step. Adding one in the future would require an + # explicit code change in this file that a reviewer must approve. + # - No secrets are referenced in prepare (see comment block at the + # top of this job). Even a presence-check would put the value in + # the runner environment, so it is intentionally absent here. + # - persist-credentials: false on the merge-ref checkout means the + # default GITHUB_TOKEN is not available to fork-controlled file + # content. + # - atos-actions/clean-self-hosted-runner step (`if: always()`) at + # the end of the job wipes the workspace regardless of how prepare + # exits. + # The split-job artifact still bridges the trust boundary to validate; + # validate is the only place where secrets are referenced. prepare: - runs-on: ubuntu-latest + runs-on: [self-hosted, web] permissions: contents: read steps: -- cgit v1.2.3