Skip to content

ci: isolate PR checks from self-hosted runner#87

Merged
pheidon merged 2 commits into
mainfrom
codex/propose-fix-for-critical-ci-vulnerability
Jun 24, 2026
Merged

ci: isolate PR checks from self-hosted runner#87
pheidon merged 2 commits into
mainfrom
codex/propose-fix-for-critical-ci-vulnerability

Conversation

@jmcte

@jmcte jmcte commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • A security scan flagged that the pull_request workflow checked out PR-controlled code and executed repository scripts on a self-hosted macOS runner, enabling arbitrary code execution from untrusted PRs.
  • The intent is to prevent untrusted PR content from running on persistent self-hosted infrastructure that may contain secrets or sensitive local state.
  • The change also ensures CI policy checks catch regressions that would reintroduce the unsafe routing.

Description

  • Split the original CI job into two jobs and added a PR-only job pr-ci-gate with if: github.event_name == 'pull_request' that uses a GitHub-hosted runner via runs-on: - macos-15 and runs the existing bash scripts/ci/run-fast-checks.sh steps.
  • Added a trusted-ci-gate job with if: github.event_name != 'pull_request' that retains the self-hosted runner labels (self-hosted, macOS, ARM64, xcode) for trusted push/workflow_dispatch events.
  • Updated scripts/ci/check-ci-policy.sh to require the PR workflow include the - macos-15 line so local/CI validation will detect regressions.
  • Preserved existing steps such as actions/checkout@v4 and xcodebuild -version in both job paths.

Testing

  • Ran bash scripts/ci/check-ci-policy.sh and it completed successfully.
  • Ran bash scripts/ci/check-shell-syntax.sh and it completed successfully.
  • Ran swift test and the test suite completed successfully.

Codex Task

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac10d2e375

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/pr-fast-ci.yml Outdated
Comment thread scripts/ci/check-ci-policy.sh Outdated
@pheidon pheidon requested a review from athena-omt June 22, 2026 09:53
pheidon
pheidon previously approved these changes Jun 22, 2026
@pheidon pheidon enabled auto-merge (squash) June 22, 2026 13:13

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE

The PR does what it says: pull requests now run on a GitHub-hosted macos-15 runner, while trusted push/workflow_dispatch paths stay on the self-hosted macOS ARM64 runner. The policy check was tightened to catch regressions in the PR workflow routing.

Evidence checked:

Validation:

  • bash scripts/ci/check-ci-policy.sh
  • bash scripts/ci/check-shell-syntax.sh

Residual risk is low; I did not find any remaining path where pull_request events can hit the self-hosted runner in this workflow.

@pheidon pheidon merged commit 6216475 into main Jun 24, 2026
3 checks passed
@pheidon pheidon deleted the codex/propose-fix-for-critical-ci-vulnerability branch June 24, 2026 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants