From a6a841a9fec83b1810ced28f1973a9e7ab3ae1dc Mon Sep 17 00:00:00 2001 From: Jonathan Haas Date: Wed, 20 May 2026 19:36:11 -0700 Subject: [PATCH 1/4] ci: default shared workflows to owned runners --- .github/actionlint.yaml | 1 - .github/workflows/agent-authorship-label.yml | 2 +- .github/workflows/codeql-guard.yml | 6 +++--- .github/workflows/codex-rails-check.yml | 4 ++-- .github/workflows/pysa.yml | 2 +- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index f48d92a..7f3c5aa 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -1,5 +1,4 @@ self-hosted-runner: labels: - - blacksmith-4vcpu-ubuntu-2404 config-variables: null diff --git a/.github/workflows/agent-authorship-label.yml b/.github/workflows/agent-authorship-label.yml index fd2058a..f42cdfc 100644 --- a/.github/workflows/agent-authorship-label.yml +++ b/.github/workflows/agent-authorship-label.yml @@ -12,7 +12,7 @@ on: description: "Runner label used for the label job" required: false type: string - default: blacksmith-4vcpu-ubuntu-2404 + default: evalops-private-ci helper_ref: description: "evalops/.github ref used to checkout helper scripts" required: false diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml index d971abb..b8f20a4 100644 --- a/.github/workflows/codeql-guard.yml +++ b/.github/workflows/codeql-guard.yml @@ -23,7 +23,7 @@ jobs: guard-self: name: Forbid CodeQL in evalops/.github if: ${{ github.event_name != 'schedule' }} - runs-on: blacksmith-4vcpu-ubuntu-2404 + runs-on: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && 'ubuntu-latest' || (vars.PR_VALIDATION_RUNNER || 'evalops-private-ci') }} timeout-minutes: 5 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 @@ -52,7 +52,7 @@ jobs: guard-org: name: Sweep evalops/* for CodeQL workflow drift if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} - runs-on: blacksmith-4vcpu-ubuntu-2404 + runs-on: ${{ vars.PR_VALIDATION_RUNNER || 'evalops-private-ci' }} timeout-minutes: 15 env: GH_TOKEN: ${{ github.token }} @@ -158,7 +158,7 @@ jobs: { echo "## codeql-guard tripped" echo - echo "EvalOps does not run GitHub CodeQL (see \`SECURITY.md\` and the Blacksmith" + echo "EvalOps does not run GitHub CodeQL (see \`SECURITY.md\` and the org" echo "code security configuration, which is now \`enforcement: enforced\`)." echo if [ "${file_count}" -gt 0 ]; then diff --git a/.github/workflows/codex-rails-check.yml b/.github/workflows/codex-rails-check.yml index a06eb5d..e887281 100644 --- a/.github/workflows/codex-rails-check.yml +++ b/.github/workflows/codex-rails-check.yml @@ -33,14 +33,14 @@ on: description: "Runner label used for the validation job" required: false type: string - default: blacksmith-4vcpu-ubuntu-2404 + default: evalops-private-ci permissions: contents: read jobs: validate: - runs-on: ${{ inputs.runner_label || 'blacksmith-4vcpu-ubuntu-2404' }} + runs-on: ${{ inputs.runner_label || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && 'ubuntu-latest' || (vars.PR_VALIDATION_RUNNER || 'evalops-private-ci')) }} timeout-minutes: 10 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml index 7322a13..93b0088 100644 --- a/.github/workflows/pysa.yml +++ b/.github/workflows/pysa.yml @@ -12,7 +12,7 @@ on: description: "Runner label used for Pysa" required: false type: string - default: blacksmith-4vcpu-ubuntu-2404 + default: evalops-private-ci working_directory: description: "Repository-relative directory to analyze" required: false From 1dfd3ea144082ef3b53d4c1654cc352814d462b6 Mon Sep 17 00:00:00 2001 From: Jonathan Haas Date: Wed, 20 May 2026 19:39:43 -0700 Subject: [PATCH 2/4] ci: run shared review guard on owned ci --- .github/workflows/review-thread-guard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/review-thread-guard.yml b/.github/workflows/review-thread-guard.yml index 42c1b23..33fbc1a 100644 --- a/.github/workflows/review-thread-guard.yml +++ b/.github/workflows/review-thread-guard.yml @@ -16,7 +16,7 @@ on: description: "Runner label used for the validation job" required: false type: string - default: ubuntu-latest + default: evalops-private-ci guard_ref: description: "evalops/.github ref to checkout for guard scripts" required: false @@ -63,7 +63,7 @@ permissions: jobs: unresolved-review-threads: - runs-on: ${{ inputs.runner_label || 'ubuntu-latest' }} + runs-on: ${{ inputs.runner_label || 'evalops-private-ci' }} timeout-minutes: 5 steps: - uses: actions/checkout@v5 From 3f470cf5456a098439ef31b9d6612821e69b1a73 Mon Sep 17 00:00:00 2001 From: Jonathan Haas Date: Wed, 20 May 2026 19:53:52 -0700 Subject: [PATCH 3/4] ci: default authorship label template to owned ci --- .github/workflow-templates/agent-authorship-labels.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflow-templates/agent-authorship-labels.yml b/.github/workflow-templates/agent-authorship-labels.yml index 186676a..ac3e9be 100644 --- a/.github/workflow-templates/agent-authorship-labels.yml +++ b/.github/workflow-templates/agent-authorship-labels.yml @@ -12,3 +12,5 @@ permissions: jobs: label: uses: evalops/.github/.github/workflows/agent-authorship-label.yml@main + with: + runner_label: evalops-private-ci From 5e6e400c1bc408446afb478e580f896f19f00eed Mon Sep 17 00:00:00 2001 From: Jonathan Haas Date: Wed, 20 May 2026 20:36:37 -0700 Subject: [PATCH 4/4] ci: keep shared public defaults on hosted runners --- .github/workflow-templates/agent-authorship-labels.yml | 2 +- .github/workflows/agent-authorship-label.yml | 2 +- .github/workflows/codeql-guard.yml | 4 ++-- .github/workflows/codex-rails-check.yml | 4 ++-- .github/workflows/pysa.yml | 2 +- .github/workflows/review-thread-guard.yml | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflow-templates/agent-authorship-labels.yml b/.github/workflow-templates/agent-authorship-labels.yml index ac3e9be..fa5bea4 100644 --- a/.github/workflow-templates/agent-authorship-labels.yml +++ b/.github/workflow-templates/agent-authorship-labels.yml @@ -13,4 +13,4 @@ jobs: label: uses: evalops/.github/.github/workflows/agent-authorship-label.yml@main with: - runner_label: evalops-private-ci + runner_label: ubuntu-latest diff --git a/.github/workflows/agent-authorship-label.yml b/.github/workflows/agent-authorship-label.yml index f42cdfc..beecad6 100644 --- a/.github/workflows/agent-authorship-label.yml +++ b/.github/workflows/agent-authorship-label.yml @@ -12,7 +12,7 @@ on: description: "Runner label used for the label job" required: false type: string - default: evalops-private-ci + default: ubuntu-latest helper_ref: description: "evalops/.github ref used to checkout helper scripts" required: false diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml index b8f20a4..5661bf8 100644 --- a/.github/workflows/codeql-guard.yml +++ b/.github/workflows/codeql-guard.yml @@ -23,7 +23,7 @@ jobs: guard-self: name: Forbid CodeQL in evalops/.github if: ${{ github.event_name != 'schedule' }} - runs-on: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && 'ubuntu-latest' || (vars.PR_VALIDATION_RUNNER || 'evalops-private-ci') }} + runs-on: ubuntu-latest timeout-minutes: 5 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 @@ -52,7 +52,7 @@ jobs: guard-org: name: Sweep evalops/* for CodeQL workflow drift if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} - runs-on: ${{ vars.PR_VALIDATION_RUNNER || 'evalops-private-ci' }} + runs-on: ubuntu-latest timeout-minutes: 15 env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/codex-rails-check.yml b/.github/workflows/codex-rails-check.yml index e887281..a80595f 100644 --- a/.github/workflows/codex-rails-check.yml +++ b/.github/workflows/codex-rails-check.yml @@ -33,14 +33,14 @@ on: description: "Runner label used for the validation job" required: false type: string - default: evalops-private-ci + default: ubuntu-latest permissions: contents: read jobs: validate: - runs-on: ${{ inputs.runner_label || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && 'ubuntu-latest' || (vars.PR_VALIDATION_RUNNER || 'evalops-private-ci')) }} + runs-on: ${{ inputs.runner_label || 'ubuntu-latest' }} timeout-minutes: 10 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml index 93b0088..c6510ab 100644 --- a/.github/workflows/pysa.yml +++ b/.github/workflows/pysa.yml @@ -12,7 +12,7 @@ on: description: "Runner label used for Pysa" required: false type: string - default: evalops-private-ci + default: ubuntu-latest working_directory: description: "Repository-relative directory to analyze" required: false diff --git a/.github/workflows/review-thread-guard.yml b/.github/workflows/review-thread-guard.yml index 33fbc1a..42c1b23 100644 --- a/.github/workflows/review-thread-guard.yml +++ b/.github/workflows/review-thread-guard.yml @@ -16,7 +16,7 @@ on: description: "Runner label used for the validation job" required: false type: string - default: evalops-private-ci + default: ubuntu-latest guard_ref: description: "evalops/.github ref to checkout for guard scripts" required: false @@ -63,7 +63,7 @@ permissions: jobs: unresolved-review-threads: - runs-on: ${{ inputs.runner_label || 'evalops-private-ci' }} + runs-on: ${{ inputs.runner_label || 'ubuntu-latest' }} timeout-minutes: 5 steps: - uses: actions/checkout@v5