Skip to content

ci: route the security dependency-review job off the self-hosted runner pool #2501

Description

@JSONbored

Parent: #1936

Problem

The security (dependency-review) job in .github/workflows/ci.yml runs unconditionally on every PR (if: github.event_name == 'pull_request' only — no needs.changes gate, no path condition) and lands on the scarce self-hosted [self-hosted, gittensory] pool for every same-repo PR, even though it does nothing but checkout + a lockfile diff.

Combined with validate-code (also self-hosted) and validate's pure result-aggregation job (also self-hosted) and changes itself (also self-hosted — see the companion issue on that), a single same-repo PR consumes 4 self-hosted runner slots when only validate-code (the npm/build/test job) actually benefits from the self-hosted VPS's cached toolchain. This directly contradicts validate-code's own comment ("Keep this as one self-hosted job so a PR uses one runner slot... instead of fanning out into several competing installs on the same VPS") and matches issue #1827's requirement to "Identify which jobs can safely run on GitHub-hosted runners to reduce self-host pressure."

Fix

Route security unconditionally to ubuntu-latest (drop the self-hosted branch of the runs-on expression) since actions/dependency-review-action needs no self-hosted capability. Consider gating it on a lockfile/manifest path filter (reuse needs.changes with a new deps filter for package.json/package-lock.json) so it skips entirely on PRs that don't touch dependencies.

Verification

  • Confirm current security job config against .github/workflows/ci.yml (line numbers may have shifted).
  • Confirm actions/dependency-review-action has no dependency on the self-hosted runner's cached environment.
  • Open a test PR and confirm security now runs on ubuntu-latest, still produces the same result.

Metadata

Metadata

Assignees

Labels

maintainer-onlyOwner-only work — yields no Gittensor points.

Projects

Status
Done

Relationships

None yet

Development

No branches or pull requests

Issue actions