Skip to content

chore: migrate CI/release to ARC self-hosted runners#93

Merged
anandgupta42 merged 3 commits intomainfrom
chore/arc-runner-label
Mar 7, 2026
Merged

chore: migrate CI/release to ARC self-hosted runners#93
anandgupta42 merged 3 commits intomainfrom
chore/arc-runner-label

Conversation

@govindpawa
Copy link
Copy Markdown
Contributor

@govindpawa govindpawa commented Mar 7, 2026

Summary

  • Update ci.yml to use arc-runner-altimate-code instead of ubuntu-latest
  • Update release.yml to use arc-runner-altimate-code instead of ubuntu-latest

ARC v2 (runner scale sets) has been deployed on AKS cluster altimate-arc in Azure East US. Runners scale to zero when idle.

Test plan

  • Verify CI workflow triggers and completes on ARC runner
  • Verify release workflow jobs pick up the new runner label

Generated with Claude Code

@govindpawa govindpawa requested a review from anandgupta42 March 7, 2026 05:15
@anandgupta42
Copy link
Copy Markdown
Contributor

anandgupta42 commented Mar 7, 2026

Multi-Model Code Review — PR #93

Verdict: REQUEST CHANGES
Critical Issues: 1 | Major Issues: 2 | Minor Issues: 5

Critical Issues

1. Security: Fork PRs May Execute Untrusted Code on Self-Hosted Runners

Location: .github/workflows/ci.yml:4-7,12,42,59

The CI workflow triggers on pull_request from any source including forks. On self-hosted ARC runners, fork PRs can execute arbitrary code (via bun install, bun test, pip install, pytest) on your AKS infrastructure, enabling code execution, network access, and potential secret exfiltration.

Nuance: GitHub has a repo-level setting to restrict self-hosted runners from fork PRs. If this is already enabled, this is a non-issue. Verify under Settings → Actions → General → "Fork pull request workflows" that self-hosted runner access is restricted.

Fix (if not already restricted):

runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'arc-runner-altimate-code' }}

Major Issues

2. No Fallback/Timeout Strategy

Location: All jobs in both files

Every CI and release job depends on arc-runner-altimate-code. If AKS has issues, all workflows queue indefinitely. Self-hosted runners have NO default timeout (GitHub-hosted have 6 hours).

Fix: Add timeout-minutes to all jobs. Document recovery procedure (manual switch to ubuntu-latest).

timeout-minutes: 30  # Add to each job

3. NPM_TOKEN Written to ~/.npmrc on Persistent Runner

Location: .github/workflows/release.yml:89-92

Pre-existing pattern, but the risk is exacerbated on self-hosted runners where ~/.npmrc may persist between jobs. On ubuntu-latest this was ephemeral.

Fix: Write to $RUNNER_TEMP/.npmrc and set NPM_CONFIG_USERCONFIG.

Minor Issues

4. Cache Compatibility

Location: ci.yml:20-26, release.yml:32-38,72-77

Cache uses ~/.bun/install/cache and ${{ runner.os }} key. Verify after migration that cache hits work as expected on ARC runners.

5. Incomplete Migration

~12 other workflows still use ubuntu-latest. This is acceptable for phased migration, but should be documented.

6. Missing Documentation

No docs about ARC runner specs, troubleshooting, or why chosen alongside Blacksmith runners.

7. No concurrency Setting in CI

release.yml has concurrency control but ci.yml does not. On limited self-hosted runners, consider adding:

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

8. OIDC for PyPI Trusted Publishing

Pre-existing, but worth verifying AKS has network access to GitHub OIDC endpoints.

Cross-Platform Assessment

Does this work for Linux, macOS, and Windows?Yes.

The build job's matrix.os: [linux, darwin, win32] is a cross-compilation matrix — all 3 targets are built from the same Linux host using Bun's native cross-compilation (Bun.build() with per-platform targets). This pattern was already in place with ubuntu-latest and is unaffected by the runner change.

Positive Observations

  • Clean, focused PR with minimal diff
  • All actions use pinned commit SHAs (good supply-chain security)
  • Consistent change across all jobs within migrated files
  • PR description documents ARC v2 deployment details
  • fail-fast: false on build matrix allows all OS builds to complete
  • Tag validation in release workflow prevents injection
Finding Attribution
Issue Origin Type
Fork PR security on self-hosted runners GPT 5.2 Codex, Grok 4 Consensus
No fallback/timeout strategy Claude, Kimi K2.5, MiniMax M2.5, GLM-5 Consensus
NPM_TOKEN persistence on self-hosted runner GPT 5.2 Codex Unique
Cache compatibility on ARC runners Claude, Kimi K2.5, MiniMax M2.5, GLM-5 Consensus
Incomplete migration documentation Kimi K2.5, MiniMax M2.5, GLM-5 Consensus
Missing ARC runner documentation Kimi K2.5, Grok 4, MiniMax M2.5, GLM-5 Consensus
No concurrency setting in CI MiniMax M2.5 Unique
OIDC trusted publishing verification Claude Unique

Reviewed by 6 models: Claude, GPT 5.2 Codex, Kimi K2.5, Grok 4, MiniMax M2.5, GLM-5. Convergence: 1 round.

@anandgupta42
fix: harden ARC runner migration with security and reliability safegu…
3b1cd8e 
…ards

- Fall back to `ubuntu-latest` for fork PRs to prevent untrusted code
  execution on self-hosted ARC runners
- Add `timeout-minutes: 60` to all CI and release jobs (self-hosted
  runners have no default timeout unlike GitHub-hosted 6h limit)
- Write `NPM_TOKEN` to `$RUNNER_TEMP/.npmrc` instead of `~/.npmrc` to
  prevent secret persistence on self-hosted runners
- Set `NPM_CONFIG_USERCONFIG` to point publish step to temp `.npmrc`
- Add `concurrency` group to CI workflow to cancel superseded runs
@anandgupta42 anandgupta42 merged commit 51a4e35 into main Mar 7, 2026
4 of 9 checks passed
@kulvirgit kulvirgit deleted the chore/arc-runner-label branch March 10, 2026 21:06
anandgupta42 added a commit that referenced this pull request Mar 17, 2026
@govindpawa @anandgupta42
chore: migrate CI/release to ARC self-hosted runners (#93)
e9d439b 
* chore: use ARC self-hosted runner for CI

* chore: use ARC self-hosted runner for release workflow

* fix: harden ARC runner migration with security and reliability safeguards

- Fall back to `ubuntu-latest` for fork PRs to prevent untrusted code
  execution on self-hosted ARC runners
- Add `timeout-minutes: 60` to all CI and release jobs (self-hosted
  runners have no default timeout unlike GitHub-hosted 6h limit)
- Write `NPM_TOKEN` to `$RUNNER_TEMP/.npmrc` instead of `~/.npmrc` to
  prevent secret persistence on self-hosted runners
- Set `NPM_CONFIG_USERCONFIG` to point publish step to temp `.npmrc`
- Add `concurrency` group to CI workflow to cancel superseded runs

---------

Co-authored-by: anandgupta42 <anand@altimate.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anandgupta42 anandgupta42 Awaiting requested review from anandgupta42

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@govindpawa @anandgupta42