From 4e5ab3b17539f14f745100c49c7f7d84add38fe2 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Wed, 6 May 2026 11:14:58 -0600
Subject: [PATCH] Backport actions: use standard runner labels for all
 workflows into release/2.x.x+ent

* actions: use standard runner labels for all workflows (#14476)

Use standard runner labels for all workflows. This will allow us to pull
from the hot pools for most jobs and on-demand when more are needed.
This does elimate our cost optimization but latest on-demand runners
have taken so long to provision as to be unbearable.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 .github/actionlint.yml                           | 16 ++--------------
 .github/actions/metadata/action.yml              |  8 ++++----
 .github/workflows/enos-lint.yml                  |  2 +-
 .github/workflows/security-scan.yml              |  2 +-
 .github/workflows/test-enos-scenario-ui.yml      |  2 +-
 .../test-run-enos-scenario-containers.yml        |  2 +-
 6 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/.github/actionlint.yml b/.github/actionlint.yml
index b1f3ccdb1c..b1ea96db73 100644
--- a/.github/actionlint.yml
+++ b/.github/actionlint.yml
@@ -8,21 +8,9 @@ self-hosted-runner:
     - medium
     - large
     - xlarge
-    - ondemand
-    - disk_gb=64
-    - os=ubuntu
-    - os=ubuntu-arm
-    - type=m5.2xlarge
-    - type=m6a.8xlarge
-    - type=c6a.xlarge
-    - type=c6g.2xlarge
-    - type=c6a.4xlarge
-    - type=c6g.2xlarge;c6g.4xlarge
-    - type=c6a.4xlarge;c6i.4xlarge;c5a.4xlarge;c5.4xlarge;m7a.4xlarge;m6i.4xlarge;m6a.4xlarge;m5a.4xlarge;m5.4xlarge
-    - type=c6a.2xlarge;c6i.2xlarge;c5a.2xlarge;c5.2xlarge;m7a.2xlarge;m6i.2xlarge;m6a.2xlarge;m5a.2xlarge;m5.2xlarge
-    - type=m7a.2xlarge;m6i.2xlarge;m6a.2xlarge;m5a.2xlarge;m5.2xlarge
-    - type=c7g.2xlarge;c6g.2xlarge;m7g.2xlarge;m6g.2xlarge
     - ubuntu-22.04-x64
     - ubuntu-latest-x64
+    - ubuntu-24.04-arm64
     - custom-linux-xl-vault-latest
     - stats
+    - type=m6a.8xlarge
diff --git a/.github/actions/metadata/action.yml b/.github/actions/metadata/action.yml
index 4c67f45c99..a9fa68c73f 100644
--- a/.github/actions/metadata/action.yml
+++ b/.github/actions/metadata/action.yml
@@ -168,10 +168,10 @@ runs:
             go_tags='ent,enterprise'
             version_metadata='${{ inputs.vault-version }}+ent'
           fi
-          compute_build='["self-hosted","ondemand","os=ubuntu","disk_gb=64","type=c6a.4xlarge;c6i.4xlarge;c5a.4xlarge;c5.4xlarge;m7a.4xlarge;m6i.4xlarge;m6a.4xlarge;m5a.4xlarge;m5.4xlarge"]'
-          compute_build_ui='["self-hosted","ondemand","os=ubuntu","disk_gb=64","type=c6a.2xlarge;c6i.2xlarge;c5a.2xlarge;c5.2xlarge;m7a.2xlarge;m6i.2xlarge;m6a.2xlarge;m5a.2xlarge;m5.2xlarge"]'
-          compute_test_go='["self-hosted","ondemand","os=ubuntu","disk_gb=64","type=c6a.2xlarge;c6i.2xlarge;c5a.2xlarge;c5.2xlarge;m7a.2xlarge;m6i.2xlarge;m6a.2xlarge;m5a.2xlarge;m5.2xlarge"]'
-          compute_test_ui='["self-hosted","ondemand","os=ubuntu","disk_gb=64","type=m7a.2xlarge;m6i.2xlarge;m6a.2xlarge;m5a.2xlarge;m5.2xlarge"]'
+          compute_build='["self-hosted","ubuntu-latest-x64","xlarge"]'
+          compute_build_ui='["self-hosted","ubuntu-latest-x64","large"]'
+          compute_test_go='["self-hosted","ubuntu-latest-x64","large"]'
+          compute_test_ui='["self-hosted","ubuntu-latest-x64","large"]'
           compute_small='["self-hosted","linux","small"]'
         else
           compute_build='"custom-linux-medium-vault-latest"'
diff --git a/.github/workflows/enos-lint.yml b/.github/workflows/enos-lint.yml
index fa77412995..4ff849398d 100644
--- a/.github/workflows/enos-lint.yml
+++ b/.github/workflows/enos-lint.yml
@@ -27,7 +27,7 @@ jobs:
           echo "version=${{ steps.set-product-version.outputs.product-version }}" >> "$GITHUB_OUTPUT"
           github_repository="${{ github.repository }}"
           if [ "${github_repository##*/}" == "vault-enterprise" ] ; then
-            echo 'runs-on=["self-hosted","ubuntu-latest-x64","type=m7a.2xlarge;m6i.2xlarge;m6a.2xlarge;m5a.2xlarge;m5.2xlarge"]' >> "$GITHUB_OUTPUT"
+            echo 'runs-on=["self-hosted","ubuntu-latest-x64","large"]' >> "$GITHUB_OUTPUT"
           else
             echo 'runs-on="custom-linux-xl-vault-latest"' >> "$GITHUB_OUTPUT"
           fi
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 50c14b2b88..198e2dfd15 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -16,7 +16,7 @@ on:
 
 jobs:
   scan:
-    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=ubuntu","type=c6a.4xlarge;c6i.4xlarge;c5a.4xlarge;c5.4xlarge;m7a.4xlarge;m6i.4xlarge;m6a.4xlarge;m5a.4xlarge;m5.4xlarge"]') }}
+    runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64","xlarge"]') }}
     # The first check ensures this doesn't run on community-contributed PRs, who won't have the
     # permissions to run this job.
     if: |
diff --git a/.github/workflows/test-enos-scenario-ui.yml b/.github/workflows/test-enos-scenario-ui.yml
index 14a2e3e4c7..e7d127e9ca 100644
--- a/.github/workflows/test-enos-scenario-ui.yml
+++ b/.github/workflows/test-enos-scenario-ui.yml
@@ -48,7 +48,7 @@ jobs:
       - id: get-outputs
         run: |
           if [[ '${{ steps.metadata.outputs.is-ent-repo }}' == 'true' ]]; then
-            echo "runs-on=['self-hosted', 'ondemand', 'os=ubuntu', 'type=m8a.4xlarge;m7a.4xlarge;m5d.4xlarge']" >> "$GITHUB_OUTPUT"
+            echo 'runs-on=["self-hosted","ubuntu-latest-x64","xlarge"]' >> "$GITHUB_OUTPUT"
           else
             echo "runs-on=\"custom-linux-xl-vault-latest\"" >> "$GITHUB_OUTPUT"
           fi
diff --git a/.github/workflows/test-run-enos-scenario-containers.yml b/.github/workflows/test-run-enos-scenario-containers.yml
index 5e67246acb..553fde2257 100644
--- a/.github/workflows/test-run-enos-scenario-containers.yml
+++ b/.github/workflows/test-run-enos-scenario-containers.yml
@@ -73,7 +73,7 @@ jobs:
   run:
     needs: metadata
     name: run ${{ matrix.scenario.id.filter }}
-    runs-on: ${{ fromJSON(needs.metadata.outputs.is-ent-repo == 'true' && (contains(inputs.build-artifact-name, 'arm64') && '["self-hosted","ondemand","os=ubuntu-arm","type=c6g.xlarge;c6g.2xlarge;c6g.4xlarge"]' || '["self-hosted","ubuntu-latest-x64"]') || (contains(inputs.build-artifact-name, 'arm64') && '"ubuntu-22.04-arm"' || '"ubuntu-latest"')) }}
+    runs-on: ${{ fromJSON(needs.metadata.outputs.is-ent-repo == 'true' && (contains(inputs.build-artifact-name, 'arm64') && '["self-hosted","ubuntu-24.04-arm64"]' || '["self-hosted","ubuntu-latest-x64"]') || (contains(inputs.build-artifact-name, 'arm64') && '"ubuntu-22.04-arm"' || '"ubuntu-latest"')) }}
     strategy:
       fail-fast: false # don't fail as that can skip required cleanup steps for jobs
       matrix: