Conversation
The Harden Runner egress policy was missing dl.google.com (used by setup-go-faster to download Go binaries) and release-assets.githubusercontent.com (used to download the staticcheck binary), causing the job to fail with exit code 22.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a4712cd41f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| func (k *KubernetesConfigImpl) populateViperOverride(src *viper.Viper, dst *viper.Viper, techniqueID string) { | ||
| dst.SetDefault("kubernetes", src.Get("kubernetes.default")) | ||
| if techniqueConfig := src.Get("kubernetes.techniques." + techniqueID); techniqueConfig != nil { | ||
| dst.Set("kubernetes", techniqueConfig) |
There was a problem hiding this comment.
populateViperOverride replaces the entire kubernetes subtree with the technique-specific block, so when a technique overrides only part of pod (for example just pod.image), GetTechniquePodConfig reads only that partial map and drops default pod settings like labels/tolerations/node selector. This breaks the documented key-by-key override behavior for Kubernetes techniques that apply pod config in Go.
Useful? React with 👍 / 👎.
| if len(overrideVars) > 0 { | ||
| err = m.StateManager.WriteTerraformVariables(overrideVars) |
There was a problem hiding this comment.
WarmUp only persists Terraform variables when len(overrideVars) > 0, which leaves stale .terraform-variables on disk after a later warmup --force run with no overrides. CleanUp then loads those stale values and passes them to terraform destroy, which can use a different resource graph than the most recent apply (for example when namespace creation is conditional on config) and fail to clean up resources.
Useful? React with 👍 / 👎.
| operator: "Equal" | ||
| value: "security" | ||
| effect: "NoSchedule" | ||
| nodeSelector: |
There was a problem hiding this comment.
The shipped example uses nodeSelector, but the implementation reads node_selector (mapstructure:"node_selector" and Terraform override path kubernetes.pod.node_selector). Users copying this file will not get node selector overrides applied, so pod placement constraints silently fail.
Useful? React with 👍 / 👎.
2 participants
Summary
dl.google.com:443andrelease-assets.githubusercontent.com:443setup-go-fasteraction (used bydominikh/staticcheck-action) downloads Go binaries fromdl.google.com, and the staticcheck binary is downloaded fromrelease-assets.githubusercontent.comTest plan