chore: test self hosted runner

[CarlJi]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @CarlJi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request appears to be a test or chore related to the setup or functionality of a self-hosted runner, as indicated by its title. The sole code change involves a minor whitespace adjustment in a Go source file, which serves no functional purpose but likely acts as a trigger for the CI/CD pipeline to validate the runner's operation.

Highlights

• Whitespace Adjustment: Introduced two blank lines and a tab character between the coverFilePatterns and skipFilePatterns variable declarations in cmd/profile.go.

Ignored Files

• Ignored by pattern: .github/workflows/** (4)
  • .github/workflows/e2e_test_check.yml
  • .github/workflows/golangci-lint.yml
  • .github/workflows/style_check.yml
  • .github/workflows/ut_check.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[qiniu-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CarlJi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [CarlJi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request introduces a minor formatting change by adding extra blank lines in cmd/profile.go. My review includes a suggestion to remove these unnecessary lines to maintain code cleanliness. The change appears to be for testing purposes as indicated by the title.

[gemini-code-assist]

These extra blank lines are unnecessary and should be removed to improve code readability. It's good practice to group related variable declarations without excessive spacing.

[xgopilot]

Critical Security Risk: Self-Hosted Runners + Public Repository

This PR migrates workflows to self-hosted runners but introduces critical security vulnerabilities for a public repository. Self-hosted runners executing untrusted code from external PRs create severe risks:

Immediate Concerns:

• Code injection from malicious PRs can compromise runner infrastructure
• Secrets exposure to untrusted code
• No runner isolation/cleanup between executions
• Persistent compromise across workflow runs

Required Mitigations:

1. Implement PR approval requirements before running on self-hosted runners
2. Use separate runners for external PRs vs. protected branches
3. Implement ephemeral/containerized runner execution
4. Document security policies and incident response procedures

See inline comments for additional issues.

[xgopilot]

These blank lines appear to be accidental and should be removed. They violate Go formatting conventions and are unrelated to the PR's purpose.

[xgopilot]

Critical Security: Running untrusted PR code on self-hosted runners allows attackers to:

• Execute arbitrary code on your infrastructure
• Access secrets and environment variables
• Persist malicious state across builds

Consider restricting self-hosted runners to protected branches only, or implement approval requirements for external PRs.

[xgopilot]

This quote style change (single to double) is unrelated to the runner migration. Consider reverting formatting changes or moving them to a separate PR to keep changes focused.

[xgopilot]

Critical Security Issue

Severity: CRITICAL - This PR introduces a significant security vulnerability by enabling self-hosted runners for all pull requests without access controls.

The Problem

Self-hosted runners executing code from untrusted pull requests can allow arbitrary code execution on your infrastructure. External contributors can:

• Access secrets and environment variables
• Install persistent backdoors on runners
• Exfiltrate sensitive data
• Pivot to internal network resources

Recommended Solutions

Option 1 (Recommended): Use GitHub-hosted runners for external PRs:

runs-on: ${{ github.event.pull_request.head.repo.full_name == github.repository && 'self-hosted' || 'ubuntu-latest' }}

Option 2: Restrict workflows to same-repo PRs only:

if: github.event.pull_request.head.repo.full_name == github.repository

Option 3: Use pull_request_target with manual approval environment for external PRs.

Ref: GitHub Security Hardening Guide

[xgopilot]

Remove these unnecessary blank lines. This appears to be an accidental formatting change that reduces code consistency.

[xgopilot]

Critical Security Concern: Self-Hosted Runners with Pull Requests

This PR introduces a critical security vulnerability by running workflows triggered by pull_request events on self-hosted runners. This allows untrusted code from public PRs to execute on your infrastructure.

Risk: Attackers can submit malicious PRs to steal credentials, mine cryptocurrency, or pivot to internal systems. GitHub explicitly warns against this configuration.

Recommendation: Do not merge until you either:

• Keep ubuntu-latest for pull_request workflows, use self-hosted only for protected branch pushes
• Switch to pull_request_target with manual approval via labels and ephemeral runners

See: GitHub Security Hardening

[xgopilot]

These blank lines (including one with trailing whitespace) should be removed. They don't serve any purpose and are inconsistent with the codebase style. This appears to be an accidental addition unrelated to the PR's purpose.

[xgopilot]

Security & Performance Issues:

1. Security: This workflow runs on pull_request events from untrusted sources. Using self-hosted allows arbitrary code execution on your infrastructure.

2. Performance: Line 58 hardcodes /home/runner/tools which is specific to GitHub-hosted runners. Self-hosted runners may use different paths, causing failures.

3. Concurrency: The matrix strategy (4 Go versions) may queue or compete for resources if you have limited self-hosted runners, potentially increasing CI time 4x.

[xgopilot]

Same security concern: pull_request + self-hosted + matrix strategy allows untrusted code execution on your infrastructure with potential for severe resource contention across 4 concurrent Go versions.

[xgopilot]

Security issue: This workflow runs on all pull_request events using self-hosted runners, creating an attack vector for malicious PRs.

[xgopilot]

Security issue: pull_request events on self-hosted runners allow untrusted code execution. This workflow should either use ubuntu-latest or implement pull_request_target with manual approval.