Skip to content

Install proxy cert on GitHub-hosted Ubuntu runners #3435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
mbg wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Install proxy cert on GitHub-hosted Ubuntu runners #3435

mbg wants to merge 2 commits into from
+399 −251

Conversation

@mbg
Copy link
Member

@mbg mbg commented Jan 27, 2026

This is mostly an experiment to install the private registry proxy cert system-wide on GitHub-hosted Ubuntu runners. This would provide some level of redundancy against cases where access to a private registry via the proxy fails at a later step because the certificate is not trusted.

Ideally this would be behind a FF, but we don't currently have access to those in start-proxy.

Risk assessment

For internal use only. Please select the risk level of this change:

  • High risk: Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

Which use cases does this change impact?

Workflow types:

  • Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

  • Test repository - This change will be tested on a test repository before merging.
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.
  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg self-assigned this Jan 27, 2026
@github-actions github-actions bot added the size/S Should be easy to review label Jan 27, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 27, 2026
View reviewed changes
src/start-proxy.ts
fs.writeFileSync(certFilePath, cert);

// Update the certificates.
await runTool("sudo", ["update-ca-certificates"]);

Check failure

Code scanning / CodeQL

Exec call vulnerable to binary planting Error

This exec call might be vulnerable to Windows binary planting vulnerabilities.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@mbg mbg

Labels

size/S Should be easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mbg @Claude @Codex