chore(infra-standards)!: drop self-hosted-runners skill; trim infrastructure-standards#321
Merged
Merged
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the documentation for self-hosted runners to include guidelines and requirements for on-prem runners. It introduces a decision table for when to use on-prem vs. RunsOn and establishes five reliability rules for on-prem setups, including GitHub App authentication and health checks. Feedback was provided regarding a contradiction in the secret check requirement, where PAT was mentioned despite being prohibited in a previous rule.
JacobPEvans
added a commit
to dryvist/docs
that referenced
this pull request
May 24, 2026
The CI/CD overview documented the four runner tiers but didn't say what a self-hosted runner has to actually be. The recurring token-refresh failure in orbstack-kubernetes (dryvist/orbstack-kubernetes#234, #237) shows the cost of leaving this implicit. Adds a single subsection between "Runner tiers" and "The shape of every IaC pipeline" listing the five non-negotiables for any self-hosted runner: GitHub App auth (not PAT), digest-pinned image, process healthcheck, dead-man's-switch heartbeat, pre-flight secret check. Links to the orbstack-kubernetes runner as the reference implementation. Companion PRs codify the same rules at the AI-agent layer: - dryvist/ai-assistant-instructions#654 (org-wide ci-cd-policy rule) - dryvist/claude-code-plugins#321 (self-hosted-runners skill) Supersedes the earlier standalone runner-topology-page draft in this PR's history — the four-tier CI/CD section landed in #23 in the meantime, making a separate topology page redundant. Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
force-pushed
the
chore/onprem-runner-docs
branch
from
f534b7d to
92efe74
Compare
…ructure-standards The self-hosted-runners content is workflow standard, not AI-agent guidance, and already lives in ai-assistant-instructions/agentsmd/rules/ci-cd-policy.md (companion PR #654). The infrastructure-standards skill is trimmed to the two tables agents actually need at edit time: VMID/IP assignment ranges and the Terraform-to-Ansible inventory contract. Everything else (general principles, deployment pipeline, dev shells, SOPS/Doppler) is canonical on docs.jacobpevans.com and the config-secrets/secrets-policy org rules. BREAKING CHANGE: /self-hosted-runners skill removed. Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
force-pushed
the
chore/onprem-runner-docs
branch
from
92efe74 to
e1d75da
Compare
JacobPEvans
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Repurposed from the original on-prem-runner docs addition. Two changes:
self-hosted-runnersskill entirely. It is workflow standard, not AI-agent guidance, and the content (RunsOn vs github-hosted, on-prem requirements, label catalog) is being codified intoai-assistant-instructions/agentsmd/rules/ci-cd-policy.mdvia the companion PR. AI agents do not need a separate skill to know when to pick a runner — they need the org rule loaded into every session.infrastructure-standards/SKILL.mdfrom 125 to ~50 lines. Everything duplicated by docs.jacobpevans.com/infrastructure and theconfig-secrets/secrets-policyorg rules is removed: general IaC principles, the deployment pipeline diagram, the dev-shell template table, the SOPS-vs-Doppler decision table, Doppler usage, SOPS configuration. What stays is what an agent needs at edit time without leaving the editor: VMID/IP assignment ranges and the Terraform-to-Ansible inventory contract.The plugin manifest version bumps to 1.8.0 and the description narrows accordingly.
Companion PR
JacobPEvans/ai-assistant-instructions#654— on-prem runner requirements landing inagentsmd/rules/ci-cd-policy.md.Test plan
jq '.skills' infra-standards/.claude-plugin/plugin.jsonreturns the single remaining skillgrep -r "self-hosted-runners"returns only the historical CHANGELOG entry (release-please-generated)wc -l infra-standards/skills/infrastructure-standards/SKILL.md≤ 52 lines (target was ≤ 50)pre-commit run --all-filespassesBreaking change
The
/self-hosted-runnersskill no longer exists. The!in the commit type plus theBREAKING CHANGE:trailer signal release-please to cut a major-bump release. Downstream consumers should update their plugin reference; the canonical replacement is the org rule inai-assistant-instructions.Assisted-by: Claude noreply@anthropic.com