Skip to content

fix: route PR jobs to ephemeral runners and clean isolated Docker auth#1622

Draft
gilescope wants to merge 2 commits into
mainfrom
codex/review-external-prs-before-execution
Draft

fix: route PR jobs to ephemeral runners and clean isolated Docker auth#1622
gilescope wants to merge 2 commits into
mainfrom
codex/review-external-prs-before-execution

Conversation

@gilescope

@gilescope gilescope commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Prevent credential exposure from pull_request jobs that execute checked-out repository code on persistent self-hosted runners by avoiding sourcing untrusted .envrc/Earthly on those hosts.
  • Remove persistent Docker auth residue that could be read by later jobs on shared/persistent self-hosted runner HOME directories.

Description

  • Route jobs that run on pull_request to ephemeral GitHub-hosted runners by making runs-on conditional (ubuntu-latest for PRs, self-hosted for non-PR events) across the main CI and test workflows.
  • Ensure Docker auth is isolated per-runner by creating an isolated $RUNNER_TEMP/.docker directory and exporting DOCKER_CONFIG=$RUNNER_TEMP/.docker where registry logins occur (added to the test workflow and harmonized with existing isolation steps).
  • Add explicit cleanup steps that remove the isolated Docker auth directory (rm -rf "$DOCKER_CONFIG") after registry use in affected jobs to avoid leaving credentials on persistent storage.
  • Apply the isolation+cleanup pattern in multiple jobs that previously used self-hosted runners or performed registry logins, and preserve existing behavior for trusted, non-PR runs.

Testing

  • Verified both modified workflow files parse successfully as YAML using a Ruby YAML loader (.github/workflows/continuous-integration.yml and .github/workflows/continuous-integration-test.yml).
  • Ran git diff --check and a local syntax/consistency sweep to ensure no obvious formatting errors were introduced.
  • Attempted to run actionlint but it could not complete in this environment due to a Go proxy HTTP 403, so static linting with actionlint was not available here.

Codex Task

gilescope added 2 commits June 1, 2026 17:27
@gilescope
fix: isolate pull request CI from self-hosted runners
4ced80f 
Route pull_request jobs that execute checked-out code to ephemeral GitHub-hosted runners and clean isolated Docker auth directories after registry use.

Assisted-by: OpenAI:gpt-5.3-codex
Signed-off-by: Giles Cope <gilescope@gmail.com>
@gilescope
fix: use ephemeral runners for fork PRs
47da424 
Limit the ubuntu-latest fallback to external fork pull requests while preserving self-hosted runners for trusted internal PR, merge queue, push, and manual events.

Assisted-by: OpenAI:gpt-5.3-codex
Signed-off-by: Giles Cope <gilescope@gmail.com>
@gilescope gilescope force-pushed the codex/review-external-prs-before-execution branch from de33392 to 47da424 Compare June 1, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scottbuckel scottbuckel scottbuckel approved these changes

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gilescope @scottbuckel