From 09e2cf1103fca71568f0e94c86172a46629afb1d Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Tue, 28 Apr 2026 19:26:45 -0700 Subject: [PATCH] ci: right-size codeql quality runners Run CodeQL Critical Quality on 4 vCPU Blacksmith runners. --- .github/actionlint.yaml | 1 + .github/workflows/codeql-critical-quality.yml | 12 ++++++------ docs/ci.md | 6 ++++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index 565ef319ba7..d4d589bfcb0 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -4,6 +4,7 @@ self-hosted-runner: labels: # Blacksmith CI runners + - blacksmith-4vcpu-ubuntu-2404 - blacksmith-8vcpu-ubuntu-2404 - blacksmith-8vcpu-windows-2025 - blacksmith-16vcpu-ubuntu-2404 diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml index 8d72f7cdc9e..f362cffd7a1 100644 --- a/.github/workflows/codeql-critical-quality.yml +++ b/.github/workflows/codeql-critical-quality.yml @@ -20,7 +20,7 @@ permissions: jobs: javascript-typescript: name: Critical Quality (javascript-typescript) - runs-on: blacksmith-8vcpu-ubuntu-2404 + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout @@ -41,7 +41,7 @@ jobs: config-boundary: name: Critical Quality (config-boundary) - runs-on: blacksmith-8vcpu-ubuntu-2404 + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout @@ -62,7 +62,7 @@ jobs: gateway-runtime-boundary: name: Critical Quality (gateway-runtime-boundary) - runs-on: blacksmith-8vcpu-ubuntu-2404 + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout @@ -83,7 +83,7 @@ jobs: channel-runtime-boundary: name: Critical Quality (channel-runtime-boundary) - runs-on: blacksmith-8vcpu-ubuntu-2404 + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout @@ -104,7 +104,7 @@ jobs: agent-runtime-boundary: name: Critical Quality (agent-runtime-boundary) - runs-on: blacksmith-8vcpu-ubuntu-2404 + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout @@ -125,7 +125,7 @@ jobs: plugin-boundary: name: Critical Quality (plugin-boundary) - runs-on: blacksmith-8vcpu-ubuntu-2404 + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout diff --git a/docs/ci.md b/docs/ci.md index 0729759b76b..2e657d12692 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -250,8 +250,9 @@ default workflow because the macOS build dominates runtime even when clean. The `CodeQL Critical Quality` workflow is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries -over narrow high-value surfaces. Its baseline job scans the same auth, secrets, -sandbox, cron, and gateway surface as the security workflow. The config-boundary +over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its +baseline job scans the same auth, secrets, sandbox, cron, and gateway surface +as the security workflow. The config-boundary job scans config schema, migration, normalization, and IO contracts under the separate `/codeql-critical-quality/config-boundary` category. The gateway-runtime-boundary job scans gateway protocol schemas and server method @@ -393,6 +394,7 @@ The automatic CI concurrency key is versioned (`CI-v7-*`) so a GitHub-side zombi | Runner | Jobs | | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ubuntu-24.04` | `preflight`, fast security jobs and aggregates (`security-scm-fast`, `security-dependency-audit`, `security-fast`), fast protocol/contract/bundled checks, sharded channel contract checks, `check` shards except lint, `check-additional` shards and aggregates, Node test aggregate verifiers, docs checks, Python skills, workflow-sanity, labeler, auto-response; install-smoke preflight also uses GitHub-hosted Ubuntu so the Blacksmith matrix can queue earlier | +| `blacksmith-4vcpu-ubuntu-2404` | `CodeQL Critical Quality`, lower-weight extension shards, `checks-fast-core`, `checks-node-compat-node22`, `check-prod-types`, and `check-test-types` | | `blacksmith-8vcpu-ubuntu-2404` | `build-artifacts`, build-smoke, Linux Node test shards, bundled plugin test shards, `android` | | `blacksmith-16vcpu-ubuntu-2404` | `check-lint`, which remains CPU-sensitive enough that 8 vCPU cost more than it saved; install-smoke Docker builds, where 32-vCPU queue time cost more than it saved | | `blacksmith-16vcpu-windows-2025` | `checks-windows` |