Restrict trusted perf evidence to server main

Author: durable-workflow-ops

docs/bounded-growth.md

@@ -121,8 +121,9 @@ for at least one hour, use compose-backed resource sampling, run on a
 self-hosted runner with an explicit `RUNNER_ENVIRONMENT=self-hosted` provenance
 value, include GitHub Actions provenance (`GITHUB_REPOSITORY`, `GITHUB_REF`,
 `GITHUB_SHA`, `GITHUB_WORKFLOW`, `GITHUB_RUN_ID`, and `GITHUB_RUN_ATTEMPT`),
-have a clean tracked working tree, meet sample coverage, and have no
-bounded-growth assertion failures. A local run can still produce useful
+come from `durable-workflow/server` on `refs/heads/main`, have a clean tracked
+working tree, meet sample coverage, and have no bounded-growth assertion
+failures. A local run or feature-branch workflow can still produce useful
 artifacts, but it cannot satisfy the trusted long-soak evidence profile just by
 setting `RUNNER_ENVIRONMENT=self-hosted`.
 The CI smoke workflow sets `RUNNER_ENVIRONMENT=github-hosted` so those artifacts

docs/perf-runner.md

@@ -83,8 +83,10 @@ final drain counts, sample coverage, GitHub runner provenance, and the
 SHA-256 digest of `config/dw-bounded-growth.php`. Trusted long-soak evidence
 also requires `tracked_working_tree_clean=true` and GitHub Actions provenance
 (`GITHUB_REPOSITORY`, `GITHUB_REF`, `GITHUB_SHA`, `GITHUB_WORKFLOW`,
-`GITHUB_RUN_ID`, and `GITHUB_RUN_ATTEMPT`), so artifacts from uncommitted source,
-policy edits, or ad hoc local runs are marked ineligible for the trusted profile.
+`GITHUB_RUN_ID`, and `GITHUB_RUN_ATTEMPT`) from `durable-workflow/server` on
+`refs/heads/main`, so artifacts from uncommitted source, policy edits, feature
+branches, forks, or ad hoc local runs are marked ineligible for the trusted
+profile.
 The harness fails when it cannot collect at least `DW_PERF_MIN_SAMPLE_COVERAGE`
 of the expected periodic samples, which defaults to 80%. The final post-drain
 sample is included in the artifact but does not count toward the periodic sample

scripts/perf/server_soak.py

@@ -697,6 +697,10 @@ def evidence_trust_profile(
         reasons.append(f"runner environment is {runner_environment}, not self-hosted")
     if not github_actions_provenance_present(provenance):
         reasons.append("GitHub Actions provenance is incomplete")
+    if str(provenance.get("repository") or "").strip() != "durable-workflow/server":
+        reasons.append("GitHub Actions repository is not durable-workflow/server")
+    if str(provenance.get("ref") or "").strip() != "refs/heads/main":
+        reasons.append("GitHub Actions ref is not refs/heads/main")
     if not tracked_working_tree_clean:
         reasons.append("tracked working tree has uncommitted changes")
     if periodic_sample_count < minimum_trusted_samples:
@@ -713,6 +717,7 @@ def evidence_trust_profile(
         "runner_environment": runner_environment,
         "requires_self_hosted_runner": True,
         "requires_github_actions_provenance": True,
+        "requires_server_main_ref": True,
         "requires_compose_resource_sampling": True,
         "requires_clean_tracked_working_tree": True,
         "reasons": reasons,

tests/Unit/ServerPerfHarnessContractTest.php

@@ -54,10 +54,13 @@ public function test_soak_summary_records_trusted_evidence_fields(): void
             'minimum_duration_seconds',
             'requires_self_hosted_runner',
             'requires_github_actions_provenance',
+            'requires_server_main_ref',
             'requires_compose_resource_sampling',
             'requires_clean_tracked_working_tree',
             'runner environment is unknown',
             'GitHub Actions provenance is incomplete',
+            'GitHub Actions repository is not durable-workflow/server',
+            'GitHub Actions ref is not refs/heads/main',
             'tracked working tree has uncommitted changes',
             'duration below trusted long-soak minimum',
             'bounded-growth assertions failed',