From db64ec98030da3e7973eaa77cb021228303329a8 Mon Sep 17 00:00:00 2001
From: argenis de la rosa <theonlyhennygod@gmail.com>
Date: Thu, 5 Mar 2026 12:12:27 -0500
Subject: [PATCH] ci(workflows): retrigger security workflows after blacksmith
 routing changes

---
 .github/workflows/sec-audit.yml  | 1 +
 .github/workflows/sec-codeql.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/sec-audit.yml b/.github/workflows/sec-audit.yml
index a2eaf4b5b..20916cb67 100644
--- a/.github/workflows/sec-audit.yml
+++ b/.github/workflows/sec-audit.yml
@@ -70,6 +70,7 @@ env:
     CARGO_TERM_COLOR: always
 
 jobs:
+    # Run all security lanes on the same Blacksmith-tagged Linux pool for consistent routing.
     audit:
         name: Security Audit
         runs-on: [self-hosted, Linux, X64, blacksmith-2vcpu-ubuntu-2404]
diff --git a/.github/workflows/sec-codeql.yml b/.github/workflows/sec-codeql.yml
index 969790511..d10c12e8b 100644
--- a/.github/workflows/sec-codeql.yml
+++ b/.github/workflows/sec-codeql.yml
@@ -61,6 +61,7 @@ jobs:
               shell: bash
               run: |
                   set -euo pipefail
+                  # Keep both lanes on the Blacksmith Linux pool to avoid provider-specific routing.
                   branch="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
                   if [[ "$branch" == release/* ]]; then
                     echo 'labels=["self-hosted","Linux","X64","blacksmith-2vcpu-ubuntu-2404"]' >> "$GITHUB_OUTPUT"