Context
Surfaced during UBLGenie's CI migration PR (Back-to-code/ublgenie-app#165) — first territory to adopt Back-to-code/actions/setup-{php,node}@v1. PR review flagged that bare runs-on: self-hosted (Rule 1 in this repo's README) leaves the ARC pool open to any rogue runner registered with the self-hosted label under ISO 27001 A.5.20.
Deferred from #165 because the fix is war-room-wide, not per-territory: workflow-side label changes can't land until the ARC pool re-registers with matching labels — otherwise jobs queue indefinitely.
Required coordination (single window)
- Doctrine update (this repo) — README Rule 1 evolves from
runs-on: self-hosted to runs-on: [self-hosted, <territory>, linux-x64]. Document the labelled-pool pattern and per-territory naming.
- Infra re-registration — re-register the ARC
RunnerScaleSet / RunnerDeployment manifest with new labels (typically --labels on the runner spec). Owner: infra.
- Per-territory workflow change — each consuming repo replaces
runs-on: self-hosted with the labelled-array form. Currently in scope: ublgenie-app (#165 already merged on bare label), daymate/api (not yet adopted).
Acceptance
References
Context
Surfaced during UBLGenie's CI migration PR (Back-to-code/ublgenie-app#165) — first territory to adopt
Back-to-code/actions/setup-{php,node}@v1. PR review flagged that bareruns-on: self-hosted(Rule 1 in this repo's README) leaves the ARC pool open to any rogue runner registered with theself-hostedlabel under ISO 27001 A.5.20.Deferred from #165 because the fix is war-room-wide, not per-territory: workflow-side label changes can't land until the ARC pool re-registers with matching labels — otherwise jobs queue indefinitely.
Required coordination (single window)
runs-on: self-hostedtoruns-on: [self-hosted, <territory>, linux-x64]. Document the labelled-pool pattern and per-territory naming.RunnerScaleSet/RunnerDeploymentmanifest with new labels (typically--labelson the runner spec). Owner: infra.runs-on: self-hostedwith the labelled-array form. Currently in scope:ublgenie-app(#165 already merged on bare label),daymate/api(not yet adopted).Acceptance
gh api /repos/<org>/<repo>/actions/runnersshowing app-specific labels)ublgenie-app/.github/workflows/pr-checks.ymlmigrated to labelled formBack-to-code/actionsto prevent inheriting bare-label postureReferences