Skip to content

[codex] Allow soak runner control egress#51

Draft
scttbnsn wants to merge 1 commit into
mainfrom
codex/soak-runner-egress
Draft

[codex] Allow soak runner control egress#51
scttbnsn wants to merge 1 commit into
mainfrom
codex/soak-runner-egress

Conversation

@scttbnsn

@scttbnsn scttbnsn commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

  • keeps the weekly soak job in Harden Runner block mode
  • adds the GitHub Actions control, log, artifact, and cache endpoints needed by the multi-hour soak
  • adds StepSecurity API/telemetry endpoints observed in the last successful audit-mode run

Root cause

The soak workflow moved from Harden Runner audit mode to block mode with an allowlist that covered checkout/setup traffic but not the long-lived GitHub Actions runner communication paths. The failed runs ended with runner communication loss before the soak script could finish or upload artifacts.

Validation

  • actionlint .github/workflows/quality-soak-weekly.yml
  • zizmor .github/workflows/quality-soak-weekly.yml
  • git diff --check HEAD~1..HEAD
  • pre-push hook: GoReleaser snapshot, golangci-lint run, go test ./..., govulncheck, fuzz smoke, actionlint, zizmor, clean-tree

Follow-up

The real verification is rerunning Quality: Soak; the failure only shows up during the long GitHub-hosted run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant