From d19b16110d0792f3b37e7323ec87f3fa0da92338 Mon Sep 17 00:00:00 2001
From: Scott Hart <sdhart@google.com>
Date: Tue, 6 Jan 2026 16:52:18 -0500
Subject: [PATCH] ci: remove untrusted gha workflow

---
 .github/workflows/test-runner-untrusted.yml | 116 --------------------
 1 file changed, 116 deletions(-)
 delete mode 100644 .github/workflows/test-runner-untrusted.yml

diff --git a/.github/workflows/test-runner-untrusted.yml b/.github/workflows/test-runner-untrusted.yml
deleted file mode 100644
index 0a5bc0efdf960..0000000000000
--- a/.github/workflows/test-runner-untrusted.yml
+++ /dev/null
@@ -1,116 +0,0 @@
-name: "gha: macOS & Windows Untrusted"
-
-# Build on pull requests and pushes to `main`. The PR builds will be
-# non-blocking for now, but that is configured elsewhere.
-on:
-  # Start the build in the context of the target branch. This is considered
-  # "safe", as the workflow files are already committed. These types of builds
-  # have access to the secrets in the build, which we need to use the remote
-  # caches (Bazel and sccache).
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-  workflow_dispatch:
-
-# Cancel in-progress runs of the workflow if somebody adds a new commit to the
-# PR or branch. That reduces billing, but it creates more noise about cancelled
-# jobs
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  pre-flight:
-    # For external contributors, run the build in the `external` environment.
-    # This requires manual approval from a contributor. It also saves the
-    # `ref` of the pull request, so downstream jobs know what to checkout.
-    environment: 'external'
-    name: Require Approval for External PRs
-    if: ${{ github.event.pull_request.author_association != 'OWNER' && github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'COLLABORATOR' }}
-    runs-on: ubuntu-latest
-    outputs:
-      checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
-    steps:
-      - name: Save Pull Request
-        id: save-pull-request
-        run: >
-          echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT
-
-  # Run other jobs once the `pre-flight` job passes. When the `pre-flight`
-  # job requires approval, these blocks all the other jobs. The jobs are defined
-  # in separate files to keep the size of this file under control. Note how
-  # the additional jobs inherit any secrets needed to use the remote caches and
-  # receive what version to checkout as an input.
-  macos-bazel:
-    # Build the full matrix only on push events to the default branch, or
-    # when PR gets the has a `gha:full-build` label, or when it had the
-    # label already and it gets a new commit.
-    if: |-
-      ${{
-        github.event_name == 'schedule' ||
-        github.event_name == 'push' ||
-        contains(github.event.pull_request.labels.*.name, 'gha:full-build')
-      }}
-    name: macOS-Bazel
-    needs: [pre-flight]
-    uses: ./.github/workflows/macos-bazel.yml
-    with:
-      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
-      bazel-cache-mode: 'READ_ONLY'
-      execute-integration-tests: false
-  windows-bazel:
-    # Build the full matrix only on push events to the default branch, or
-    # when PR gets the has a `gha:full-build` label, or when it had the
-    # label already and it gets a new commit.
-    if: |-
-      ${{
-        github.event_name == 'schedule' ||
-        github.event_name == 'push' ||
-        contains(github.event.pull_request.labels.*.name, 'gha:full-build')
-      }}
-    name: Windows-Bazel
-    needs: [pre-flight]
-    uses: ./.github/workflows/windows-bazel.yml
-    with:
-      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
-      bazel-cache-mode: 'READ_ONLY'
-      execute-integration-tests: false
-  macos-cmake:
-    name: macOS-CMake
-    needs: [pre-flight]
-    uses: ./.github/workflows/macos-cmake.yml
-    with:
-      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
-      # Build the full matrix only on push events to the default branch, or
-      # when PR gets the has a `gha:full-build` label, or when it had the
-      # label already and it gets a new commit.
-      full-matrix: |-
-        ${{
-          github.event_name == 'schedule' ||
-          github.event_name == 'push' ||
-          contains(github.event.pull_request.labels.*.name, 'gha:full-build')
-        }}
-      sccache-mode: 'DISABLED'
-      vcpkg-cache-mode: 'read'
-      execute-integration-tests: false
-  windows-cmake:
-    name: Windows-CMake
-    needs: [pre-flight]
-    uses: ./.github/workflows/windows-cmake.yml
-    with:
-      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
-      # Build the full matrix only on push events to the default branch, or
-      # when PR gets the has a `gha:full-build` label, or when it had the
-      # label already and it gets a new commit.
-      full-matrix: |-
-        ${{
-          github.event.pull_request.author_association != 'MEMBER' &&
-          (github.event_name == 'push' ||
-          github.event_name == 'workflow_dispatch' ||
-          contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
-        }}
-      sccache-mode: 'DISABLED'
-      vcpkg-cache-mode: 'read'
-      execute-integration-tests: false