Skip to content

perf(strix): skip scans on doc/image-only diffs and cap job at 60m#345

Open
seonghobae wants to merge 1 commit into
mainfrom
fix/strix-throughput-paths-ignore-timeout
Open

perf(strix): skip scans on doc/image-only diffs and cap job at 60m#345
seonghobae wants to merge 1 commit into
mainfrom
fix/strix-throughput-paths-ignore-timeout

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Problem

The org Strix security scan runs a ~120-minute scan per commit via pull_request_target and, by deliberate design, does not cancel in-progress scans on new commits (the concurrency group includes head.sha; cancel only on closed). That non-cancellation is a correct security property (an attacker must not be able to force-push a benign commit to cancel a malicious commit's scan). But the result is runner-queue starvation across the org: every doc-only, image-only, or empty re-trigger commit spawns a fresh 120-min scan, blocking all PR merges behind runner contention.

Fix (security-preserving throughput)

1. paths-ignore on push and pull_request_target for changes whose ENTIRE diff is non-executable documentation/image assets: *.md, *.markdown, *.rst, raster images (*.png/jpg/jpeg/gif/webp/bmp/ico), LICENSE*, COPYING, .github/ISSUE_TEMPLATE/**. A code security scanner has nothing to analyze in such a diff.

Conservative by design:

  • Only file types/paths that cannot contain executable logic are listed.
  • Not ignored: any source file, *.txt (could be a requirements/lock file), *.svg (can embed script), CODEOWNERS, *.html/*.css, and all build/workflow files.
  • GitHub requires every changed file to match a paths-ignore pattern, so a PR/push touching even one code/config/build/workflow file still scans.

2. Cap the strix job at 60m (was 120m). The scan step is already hard-bounded to 30 min (timeout-minutes: 30 + STRIX_TOTAL_TIMEOUT_SECONDS=1800); every other step is quick or self-bounded. 120m only ever bit hung runs. 60m clears the realistic worst case (~50 min) with margin and is fail-closed (hitting the cap fails the run, never passes it).

Why coverage is preserved

  • Skipped diffs contain zero executable code — nothing for a scanner to find.
  • All-files-must-match semantics: any real code/config/build/workflow change still triggers a full scan.
  • The weekly full-tree schedule (cron: 0 3 * * 1, no path filter) re-scans protected branches, backstopping every path.
  • The merge scheduler still forces same-head Strix evidence via workflow_dispatch (which paths-ignore does not affect) before merging managed PRs, so merged code never loses evidence.
  • The head.sha concurrency / cancel-in-progress security design is unchanged.

Validated with a YAML parser and actionlint (clean).

🤖 Generated with Claude Code

Runner-queue starvation across the org: every doc-only, image-only, or
empty re-trigger PR/push spawned a fresh ~120-min Strix scan, blocking
all PR merges behind runner contention.

Two security-preserving throughput fixes:

1. paths-ignore on push and pull_request_target for changes whose ENTIRE
   diff is non-executable documentation/image assets (*.md, *.rst,
   *.markdown, raster images, LICENSE, .github/ISSUE_TEMPLATE). A code
   security scanner has nothing to analyze in such a diff. Conservative:
   no source, no *.txt, no *.svg (can embed script), no CODEOWNERS, no
   build/workflow files. GitHub requires EVERY changed file to match, so
   any code/config/build/workflow change still scans. The weekly full-tree
   schedule (no path filter) backstops protected branches, and the merge
   scheduler still forces same-head evidence via workflow_dispatch (which
   paths-ignore does not affect) before merging managed PRs.

2. Cap the strix job at 60m (was 120m). The scan step is already
   hard-bounded to 30 min (timeout-minutes: 30 + STRIX_TOTAL_TIMEOUT=1800)
   and all other steps are quick/self-bounded; 120 only ever bit hung runs.
   60m clears the realistic worst case with margin and is fail-closed.

The head.sha concurrency / cancel-in-progress security design (which
deliberately does NOT cancel in-progress scans on new commits) is
unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RjGVapDZ3k7V7zKYk16P4C
@seonghobae seonghobae enabled auto-merge (squash) July 7, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant