fix: revert cross-platform CI matrix and use self-hosted for security

SebTardif · SebTardif · commit 93d21a2b8dbb · 2026-05-29T03:28:30.000-07:00
GitHub-hosted runners fail to provision on this private org repo.
Revert unit-test job to self-hosted runner. Trim security workflow
to npm audit only (Gitleaks and Trivy are Docker-based and need
Linux runners). Update changelog accordingly.

Signed-off-by: Sebastien Tardif &lt;sebtardif@ncf.ca&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,10 +14,11 @@ concurrency:
 
 jobs:
   unit-test:
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - patchloom-vscode
     timeout-minutes: 10
     steps:
       - name: Checkout
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -16,48 +16,13 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  gitleaks:
-    name: Secret detection
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  trivy:
-    name: Vulnerability scan
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: .nvmrc
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Trivy filesystem scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: fs
-          severity: HIGH,CRITICAL
-          exit-code: 1
-
   npm-audit:
     name: npm audit
-    runs-on: ubuntu-latest
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - patchloom-vscode
     timeout-minutes: 5
     steps:
       - name: Checkout
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,5 @@
 ### Infrastructure
 
 - Automated test harness with unit tests and VS Code extension integration tests
-- Cross-platform CI matrix (Ubuntu, macOS, Windows) for unit tests
-- Self-hosted runner for build, packaging, and integration tests
+- CI on self-hosted runner with npm audit security scanning
 - Extension packaging with `@vscode/vsce`
