@@ -133,13 +133,11 @@ export class ComputeWorkloadManager implements WorkloadManager {
133133 // Strip image digest - resolve by tag, not digest
134134 const imageRef = stripImageDigest ( opts . image ) ;
135135
136- // Labels forwarded to the compute provider for network-policy selection;
137- // the provider promotes a configured subset to its network layer. Mirrors
138- // the privatelink label the Kubernetes workload manager sets on the run pod.
139- const labels : Record < string , string > = { } ;
140- if ( opts . hasPrivateLink ) {
141- labels . privatelink = opts . orgId ;
142- }
136+ // Labels forwarded to the compute provider for network-policy selection.
137+ // `org` is always set so every run carries its org identity.
138+ const labels : Record < string , string > = {
139+ org : opts . orgId ,
140+ } ;
143141
144142 // Wide event: single canonical log line emitted in finally
145143 const event : Record < string , unknown > = {
@@ -319,12 +317,11 @@ export class ComputeWorkloadManager implements WorkloadManager {
319317 TRIGGER_WORKER_INSTANCE_NAME : this . opts . runner . instanceName ,
320318 } ;
321319
322- // Resupply the same labels on restore (mirror of the create path); the
323- // provider doesn't persist them across a snapshot, so without this a
324- // restored run would lose its policy-based network selection.
320+ // Resupply labels on restore (the provider doesn't persist them across a
321+ // snapshot). orgId is optional on the restore opts type, so guard it.
325322 const labels : Record < string , string > = { } ;
326- if ( opts . hasPrivateLink && opts . orgId ) {
327- labels . privatelink = opts . orgId ;
323+ if ( opts . orgId ) {
324+ labels . org = opts . orgId ;
328325 }
329326
330327 this . logger . verbose ( "restore request body" , {
0 commit comments