Skip to content

Replace GitHub Action runners with WarpBuild runners #7597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bsten-tyk merged 2 commits into from
Dec 5, 2025
Merged

Replace GitHub Action runners with WarpBuild runners #7597

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4ae5015
Auto generated from templates by gromit
Dec 5, 2025
43079c8
Update release.yml
bsten-tyk Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 23 additions & 23 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
goreleaser:
if: github.event.pull_request.draft == false
name: '${{ matrix.golang_cross }}'
runs-on: ubuntu-latest-m
runs-on: ${{ vars.DEFAULT_RUNNER }}
permissions:
id-token: write # AWS OIDC JWT
contents: read # actions/checkout
Expand Down Expand Up @@ -80,8 +80,20 @@
registry: docker.tyk.io
username: ${{ secrets.CLOUDSMITH_USERNAME }}
password: ${{ secrets.CLOUDSMITH_API_KEY }}
- uses: actions/cache@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
Comment thread
bsten-tyk marked this conversation as resolved.
role-session-name: cipush
aws-region: eu-central-1
# Don't mask to pass it across job boundaries
mask-aws-account-id: false
- uses: aws-actions/amazon-ecr-login@v2
id: ecr
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
with:
mask-password: 'true'
- uses: WarpBuilds/cache@v1
with:

Check warning on line 96 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The workflow uses a third-party GitHub Action (`WarpBuilds/cache@v1`) referenced by a mutable tag (`v1`). If an attacker compromises the action's repository and updates the `v1` tag to point to a malicious commit, the workflow could execute arbitrary code. This could lead to credential theft, code injection, or other supply chain attacks within the CI/CD pipeline. The same issue exists on line 530.
Raw output 
Pin the action to a specific, immutable commit SHA instead of a tag. Replace `uses: WarpBuilds/cache@v1` with `uses: WarpBuilds/cache@<full-commit-hash>` after verifying the commit hash for the desired version in the source repository. This ensures the workflow always executes a specific, vetted version of the action.
path: |
~/.cache/go-build
~/go/pkg/mod
Expand Down Expand Up @@ -119,18 +131,6 @@
-v /tmp/build.sh:/tmp/build.sh \
-w /go/src/github.com/TykTechnologies/tyk \
tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
role-session-name: cipush
aws-region: eu-central-1
# Don't mask to pass it across job boundaries
mask-aws-account-id: false
- uses: aws-actions/amazon-ecr-login@v2
id: ecr
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
with:
mask-password: 'true'
- name: Docker metadata for ee CI
id: ci_metadata_ee
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
Expand Down Expand Up @@ -286,8 +286,8 @@
resolve-dashboard-image:
if: github.event.pull_request.draft == false
needs: goreleaser
runs-on: ubuntu-latest
runs-on: warp-ubuntu-latest-x64-8x

Check warning on line 289 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The `resolve-dashboard-image` job uses a hardcoded runner (`warp-ubuntu-latest-x64-8x`) while other jobs in the same workflow have been updated to use the `${{ vars.DEFAULT_RUNNER }}` variable. This inconsistency undermines the benefit of centralizing the runner configuration and creates a future maintenance risk, as this job might be missed during subsequent runner updates.
Raw output 
To ensure consistency and simplify maintenance, replace the hardcoded runner value with the repository variable `${{ vars.DEFAULT_RUNNER }}`.
permissions:

Check warning on line 290 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

architecture Issue 

The `resolve-dashboard-image` job uses a hardcoded runner `warp-ubuntu-latest-x64-8x`, while other jobs in the workflow have been updated to use the `${{ vars.DEFAULT_RUNNER }}` variable. This inconsistency can lead to maintenance challenges, as this specific runner might be missed during future updates to the runner infrastructure.
Raw output 
To improve consistency and maintainability, replace the hardcoded value with a variable. If this job requires a different runner from the default, consider introducing a new, descriptively named variable (e.g., `${{ vars.LARGE_RUNNER }}`) to make the configuration clearer and easier to manage.
id-token: write
contents: read
outputs:
Expand Down Expand Up @@ -477,7 +477,7 @@
build-dashboard-image:
if: needs.resolve-dashboard-image.outputs.needs_build == 'true'
needs: resolve-dashboard-image
runs-on: ubuntu-latest-m
runs-on: ${{ vars.DEFAULT_RUNNER }}
permissions:
id-token: write
contents: read
Expand Down Expand Up @@ -526,7 +526,7 @@
mask-password: 'true'
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: actions/cache@v4
- uses: WarpBuilds/cache@v1
with:
path: |
~/.cache/go-build
Expand Down Expand Up @@ -639,7 +639,7 @@
if: github.event.pull_request.draft == false
needs:
- goreleaser
runs-on: ubuntu-latest
runs-on: ${{ vars.DEFAULT_RUNNER }}
outputs:
envfiles: ${{ steps.params.outputs.envfiles }}
pump: ${{ steps.params.outputs.pump }}
Expand All @@ -665,7 +665,7 @@
needs.goreleaser.result == 'success' &&
needs.resolve-dashboard-image.result == 'success' &&
(needs.build-dashboard-image.result == 'success' || needs.build-dashboard-image.result == 'skipped')
runs-on: ubuntu-latest-m-2
runs-on: ${{ vars.DEFAULT_RUNNER }}
env:
XUNIT_REPORT_PATH: ${{ github.workspace}}/test-results.xml
permissions:
Expand Down Expand Up @@ -734,7 +734,7 @@
execution_status: ${{ steps.test_execution.outcome }}
aggregator-ci-test:
name: Aggregated CI Status
runs-on: ubuntu-latest
runs-on: ${{ vars.DEFAULT_RUNNER }}
# Dynamically determine which jobs to depend on based on repository configuration
needs: [goreleaser, api-tests]
if: ${{ always() && github.event_name == 'pull_request' }}
Expand Down Expand Up @@ -766,7 +766,7 @@
if: github.event.pull_request.draft == false
needs:
- goreleaser
runs-on: ubuntu-latest
runs-on: ${{ vars.DEFAULT_RUNNER }}
outputs:
deb: ${{ steps.params.outputs.deb }}
rpm: ${{ steps.params.outputs.rpm }}
Expand All @@ -787,7 +787,7 @@
services:
httpbin.org:
image: kennethreitz/httpbin
runs-on: ubuntu-latest
runs-on: ${{ vars.DEFAULT_RUNNER }}
needs:
- test-controller-distros
strategy:
Expand Down Expand Up @@ -845,7 +845,7 @@
services:
httpbin.org:
image: kennethreitz/httpbin
runs-on: ubuntu-latest
runs-on: ${{ vars.DEFAULT_RUNNER }}
needs:
- test-controller-distros
strategy:
Expand Down
Loading