From 178d38bc739bad05b3334906e6d2c87337fc0b99 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Fri, 7 Nov 2025 17:49:39 -0500 Subject: [PATCH] migrate to runs-on runners Signed-off-by: Alex Goodman --- .github/workflows/codeql-analysis.yml | 5 +-- .github/workflows/dependabot-automation.yaml | 1 + .github/workflows/detect-schema-changes.yaml | 3 +- .github/workflows/oss-project-board-add.yaml | 1 + .github/workflows/release.yaml | 7 ++-- .../remove-awaiting-response-label.yaml | 1 + .../workflows/test-fixture-cache-publish.yaml | 3 +- .../workflows/update-anchore-dependencies.yml | 3 +- .github/workflows/update-bootstrap-tools.yml | 9 +++--- .../workflows/update-cpe-dictionary-index.yml | 3 +- .../workflows/update-spdx-license-list.yaml | 3 +- .../workflows/validate-github-actions.yaml | 3 +- .github/workflows/validations.yaml | 32 +++++++++---------- 13 files changed, 43 insertions(+), 31 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 80b6477cc..11e806fe4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,7 +20,8 @@ permissions: jobs: analyze: name: Analyze - runs-on: ubuntu-22.04-4core-16gb + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm if: github.repository == 'anchore/syft' # only run for main repo permissions: security-events: write @@ -51,7 +52,7 @@ jobs: with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. + # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml index 1c3ded297..680395e1d 100644 --- a/.github/workflows/dependabot-automation.yaml +++ b/.github/workflows/dependabot-automation.yaml @@ -7,4 +7,5 @@ permissions: jobs: run: + # Runner definition: workflows/.github/runs-on.yml uses: anchore/workflows/.github/workflows/dependabot-automation.yaml@main diff --git a/.github/workflows/detect-schema-changes.yaml b/.github/workflows/detect-schema-changes.yaml index 74c2455cc..0373a2c7c 100644 --- a/.github/workflows/detect-schema-changes.yaml +++ b/.github/workflows/detect-schema-changes.yaml @@ -27,7 +27,8 @@ env: jobs: label: name: "Label changes" - runs-on: ubuntu-22.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm permissions: contents: read pull-requests: write diff --git a/.github/workflows/oss-project-board-add.yaml b/.github/workflows/oss-project-board-add.yaml index 0472de8e5..a1ed69d61 100644 --- a/.github/workflows/oss-project-board-add.yaml +++ b/.github/workflows/oss-project-board-add.yaml @@ -13,6 +13,7 @@ on: jobs: run: + # Runner definition: workflows/.github/runs-on.yml uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main" secrets: token: ${{ secrets.OSS_PROJECT_GH_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a74f10376..3795ed67f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,7 +13,8 @@ on: jobs: quality-gate: environment: release - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=tiny steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -119,7 +120,8 @@ jobs: release: needs: [quality-gate] - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=release permissions: contents: write packages: write @@ -190,6 +192,7 @@ jobs: release-install-script: needs: [release] if: ${{ needs.release.result == 'success' }} + # Runner definition: workflows/.github/runs-on.yml uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main" with: tag: ${{ github.event.inputs.version }} diff --git a/.github/workflows/remove-awaiting-response-label.yaml b/.github/workflows/remove-awaiting-response-label.yaml index cb27571ef..13204ad5f 100644 --- a/.github/workflows/remove-awaiting-response-label.yaml +++ b/.github/workflows/remove-awaiting-response-label.yaml @@ -10,6 +10,7 @@ jobs: contents: read issues: write pull-requests: write + # Runner definition: workflows/.github/runs-on.yml uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main" secrets: token: ${{ secrets.OSS_PROJECT_GH_TOKEN }} diff --git a/.github/workflows/test-fixture-cache-publish.yaml b/.github/workflows/test-fixture-cache-publish.yaml index 88b89a5c4..8c7d421bd 100644 --- a/.github/workflows/test-fixture-cache-publish.yaml +++ b/.github/workflows/test-fixture-cache-publish.yaml @@ -14,7 +14,8 @@ jobs: Publish: name: "Publish test fixture image cache" # we use this runner to get enough storage space for docker images and fixture cache - runs-on: ubuntu-22.04-4core-16gb + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=release if: github.repository == 'anchore/syft' # only run for main repo permissions: packages: write diff --git a/.github/workflows/update-anchore-dependencies.yml b/.github/workflows/update-anchore-dependencies.yml index d910b2278..e0472da4f 100644 --- a/.github/workflows/update-anchore-dependencies.yml +++ b/.github/workflows/update-anchore-dependencies.yml @@ -12,7 +12,8 @@ permissions: jobs: update: - runs-on: ubuntu-latest + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm if: github.repository_owner == 'anchore' # only run for main repo (not forks) steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 diff --git a/.github/workflows/update-bootstrap-tools.yml b/.github/workflows/update-bootstrap-tools.yml index 89e9753fa..22360e028 100644 --- a/.github/workflows/update-bootstrap-tools.yml +++ b/.github/workflows/update-bootstrap-tools.yml @@ -10,7 +10,8 @@ permissions: jobs: update-bootstrap-tools: - runs-on: ubuntu-latest + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small if: github.repository == 'anchore/syft' # only run for main repo steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 @@ -28,16 +29,16 @@ jobs: run: | make update-tools make list-tools - + export NO_COLOR=1 delimiter="$(openssl rand -hex 8)" - + { echo "status<<${delimiter}" make list-tool-updates echo "${delimiter}" } >> $GITHUB_OUTPUT - + { echo "### Tool version status" echo "\`\`\`" diff --git a/.github/workflows/update-cpe-dictionary-index.yml b/.github/workflows/update-cpe-dictionary-index.yml index 98e1a7a4c..ae2f7f4ff 100644 --- a/.github/workflows/update-cpe-dictionary-index.yml +++ b/.github/workflows/update-cpe-dictionary-index.yml @@ -13,7 +13,8 @@ env: jobs: upgrade-cpe-dictionary-index: - runs-on: ubuntu-latest + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm permissions: contents: read packages: write diff --git a/.github/workflows/update-spdx-license-list.yaml b/.github/workflows/update-spdx-license-list.yaml index c3c4d26cf..91b97dc82 100644 --- a/.github/workflows/update-spdx-license-list.yaml +++ b/.github/workflows/update-spdx-license-list.yaml @@ -13,7 +13,8 @@ env: jobs: upgrade-spdx-license-list: - runs-on: ubuntu-latest + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm if: github.repository == 'anchore/syft' # only run for main repo steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml index afd39914e..f9aecb6e6 100644 --- a/.github/workflows/validate-github-actions.yaml +++ b/.github/workflows/validate-github-actions.yaml @@ -18,7 +18,8 @@ permissions: jobs: zizmor: name: "Lint" - runs-on: ubuntu-latest + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm permissions: contents: read security-events: write # for uploading SARIF results diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml index d070dc6a2..5ff26421b 100644 --- a/.github/workflows/validations.yaml +++ b/.github/workflows/validations.yaml @@ -8,14 +8,14 @@ on: - main permissions: - contents: read + contents: read jobs: - Static-Analysis: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Static analysis" - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -27,12 +27,12 @@ jobs: - name: Run static analysis run: make static-analysis - Unit-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Unit tests" # we need more storage than what's on the default runner - runs-on: ubuntu-22.04-4core-16gb + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -46,11 +46,11 @@ jobs: - name: Run unit tests run: make unit - Integration-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Integration tests" - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -67,10 +67,10 @@ jobs: - name: Run integration tests run: make integration - Build-Snapshot-Artifacts: name: "Build snapshot artifacts" - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=build steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -100,12 +100,11 @@ jobs: .task key: snapshot-build-${{ github.run_id }} - Upload-Snapshot-Artifacts: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Upload snapshot artifacts" needs: [Build-Snapshot-Artifacts] - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest-arm steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -162,7 +161,8 @@ jobs: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Linux)" needs: [Build-Snapshot-Artifacts] - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -202,7 +202,6 @@ jobs: if: steps.install-test-image-cache.outputs.cache-hit != 'true' run: make install-test-cache-save - Acceptance-Mac: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Mac)" @@ -244,12 +243,12 @@ jobs: - name: Run install.sh tests (Mac) run: make install-test-ci-mac - Cli-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "CLI tests (Linux)" needs: [Build-Snapshot-Artifacts] - runs-on: ubuntu-24.04 + # Runner definition: workflows/.github/runs-on.yml + runs-on: runs-on=${{ github.run_id }}/runner=small-arm steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: @@ -278,11 +277,10 @@ jobs: - name: Run CLI Tests (Linux) run: make cli - Cleanup-Cache: name: "Cleanup snapshot cache" if: github.event.pull_request.head.repo.full_name == github.repository - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest-arm permissions: actions: write needs: