Parent: #1936
Problem
The security (dependency-review) job in .github/workflows/ci.yml runs unconditionally on every PR (if: github.event_name == 'pull_request' only — no needs.changes gate, no path condition) and lands on the scarce self-hosted [self-hosted, gittensory] pool for every same-repo PR, even though it does nothing but checkout + a lockfile diff.
Combined with validate-code (also self-hosted) and validate's pure result-aggregation job (also self-hosted) and changes itself (also self-hosted — see the companion issue on that), a single same-repo PR consumes 4 self-hosted runner slots when only validate-code (the npm/build/test job) actually benefits from the self-hosted VPS's cached toolchain. This directly contradicts validate-code's own comment ("Keep this as one self-hosted job so a PR uses one runner slot... instead of fanning out into several competing installs on the same VPS") and matches issue #1827's requirement to "Identify which jobs can safely run on GitHub-hosted runners to reduce self-host pressure."
Fix
Route security unconditionally to ubuntu-latest (drop the self-hosted branch of the runs-on expression) since actions/dependency-review-action needs no self-hosted capability. Consider gating it on a lockfile/manifest path filter (reuse needs.changes with a new deps filter for package.json/package-lock.json) so it skips entirely on PRs that don't touch dependencies.
Verification
Parent: #1936
Problem
The
security(dependency-review) job in.github/workflows/ci.ymlruns unconditionally on every PR (if: github.event_name == 'pull_request'only — noneeds.changesgate, no path condition) and lands on the scarce self-hosted[self-hosted, gittensory]pool for every same-repo PR, even though it does nothing but checkout + a lockfile diff.Combined with
validate-code(also self-hosted) andvalidate's pure result-aggregation job (also self-hosted) andchangesitself (also self-hosted — see the companion issue on that), a single same-repo PR consumes 4 self-hosted runner slots when onlyvalidate-code(the npm/build/test job) actually benefits from the self-hosted VPS's cached toolchain. This directly contradictsvalidate-code's own comment ("Keep this as one self-hosted job so a PR uses one runner slot... instead of fanning out into several competing installs on the same VPS") and matches issue #1827's requirement to "Identify which jobs can safely run on GitHub-hosted runners to reduce self-host pressure."Fix
Route
securityunconditionally toubuntu-latest(drop the self-hosted branch of theruns-onexpression) sinceactions/dependency-review-actionneeds no self-hosted capability. Consider gating it on a lockfile/manifest path filter (reuseneeds.changeswith a newdepsfilter forpackage.json/package-lock.json) so it skips entirely on PRs that don't touch dependencies.Verification
securityjob config against.github/workflows/ci.yml(line numbers may have shifted).actions/dependency-review-actionhas no dependency on the self-hosted runner's cached environment.securitynow runs onubuntu-latest, still produces the same result.