[codex] Use self-hosted native runners#89
Conversation
jmcte
force-pushed
the
codex/native-self-hosted-runners
branch
from
70b343b to
ed0f5e0
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ed0f5e07b6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
Request changes: the policy update is incomplete because runtime apw doctor guidance still points at the old [self-hosted, synology, shell-only, public] pool. The new onboarding/docs now direct operators to [self-hosted, linux, shell-only, public], so the tool and the written policy disagree. Please update rust/src/native_app.rs and any related tests before merge.
athena-omt
added
the
state:needs-repair
athena-omt
added
area:infra
Update the native app doctor runner-label remediation to reference the new self-hosted Linux shell-only runner contract and add regression coverage so the retired Synology label does not reappear.
|
Addressed the requested doctor/runtime policy drift in commit
Local verification:
Current GitHub state after push: Rust |
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
Approved. The prior policy drift is resolved: apw doctor now points shell-safe jobs at [self-hosted, linux, shell-only, public], the workflow/docs updates are aligned with that same runner contract, and the new regression coverage keeps the retired Synology label from coming back. I didn’t find any additional blockers in this PR.
athena-omt
removed
status:needs-review
pheidon
left a comment
pheidon
left a comment
There was a problem hiding this comment.
Findings:
-
.github/workflows/rust-ci.yml:10and.github/workflows/lint.yml:8now route Rust build/lint jobs to[self-hosted, linux, shell-only, public], but the live PR checks show that pool does not currently have a C linker. Both failing jobs die atcargo clippywitherror: linker cc not foundonlinux-public-runner-01. Because these workflows compile crates with build scripts/native dependencies, this runner label change makes required Rust validation red until the pool image includesccor these jobs stay on a runner that already has a C toolchain. -
.github/workflows/claude.yml:35moves Claude automation to[self-hosted, linux, shell-only, public]while the same job readsANTHROPIC_API_KEYand has write permissions for contents, PRs, issues, id-token, and actions. That is a secret-bearing automation path, not just shell-safe CI. It should remain on a trusted hosted/private runner or a dedicated trusted self-hosted pool, not the public shell-only fleet.
Validation I ran locally:
git diff --check bad72ff23033753c5985206508cc10cae8fed7a9..HEADCARGO_TARGET_DIR=/tmp/apw-cli-89-review-target cargo test --manifest-path rust/Cargo.toml native_app::tests::doctor_does_not_create_default_credentials_file_without_demo_gate -- --nocapture
The native-app diagnostic test passed locally; the blocking concerns are runner capability and secret-bearing workflow placement.
3 participants
Summary
ubuntu-latestand onto the shared self-hosted Linux shell-safe runner contract.Validation
ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts f }' .github/workflows/*.ymlgit diff --checkbash scripts/ci/run-fast-checks.sh- passedNotes