Run Android release job on ephemeral runners (#10190)

huydhn · web-flow · commit 64fdebe12cda · 2025-04-15T14:41:20.000-07:00
To summary the discussion with @kirklandsign, only repository secrets are accessible in a Nova linux job. However, GitHub warns against using such secrets on persistent self-hosted runners https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners. In this case, it's important to use a fresh ephemeral runner instead to make sure that nothing on the runner could steal these secrets. ### Testing https://github.com/pytorch/executorch/actions/runs/14465234621
diff --git a/.github/workflows/android-release-artifacts.yml b/.github/workflows/android-release-artifacts.yml
@@ -49,7 +49,8 @@ jobs:
       contents: read
     with:
       secrets-env: EXECUTORCH_MAVEN_SIGNING_KEYID EXECUTORCH_MAVEN_SIGNING_PASSWORD EXECUTORCH_MAVEN_CENTRAL_PASSWORD EXECUTORCH_MAVEN_CENTRAL_USERNAME EXECUTORCH_MAVEN_SIGNING_GPG_KEY_CONTENTS
-      runner: linux.2xlarge
+      # As this job has access to Maven credential, run this on a fresh ephemeral runner
+      runner: ephemeral.linux.2xlarge
       docker-image: executorch-ubuntu-22.04-clang12-android
       submodules: 'recursive'
       ref: ${{ github.sha }}
