From ff97dc265f95f51f68bb9a793f8b5cc4b15246ab Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 08:14:13 -0500 Subject: [PATCH 01/10] ci: migrate from github-hosted runners to namespace.so - Linux jobs now use the namespace-profile-endev custom runner profile - macOS jobs use nscloud-macos-sequoia-arm64-6x14 - Windows jobs use nscloud-windows-2022-amd64-8x16 - Replace Swatinem/rust-cache with namespacelabs/nscloud-cache-action (cache: rust) - Matrix jobs gain a separate runner field so existing matrix.os conditionals and artifact names continue to work unchanged Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/autofix.yml | 6 +- .github/workflows/ci.yml | 87 +++++++++++++++----------- .github/workflows/claude.yml | 2 +- .github/workflows/docs.yml | 8 ++- .github/workflows/pr-closer.yml | 2 +- .github/workflows/release-plz.yml | 6 +- .github/workflows/release.yml | 25 +++++--- .github/workflows/semantic-pr-lint.yml | 2 +- 8 files changed, 81 insertions(+), 57 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 0ac86ddf6..c5b150f91 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -18,13 +18,13 @@ env: jobs: autofix: if: github.actor != 'renovate[bot]' && github.actor != 'mend[bot]' - runs-on: ubuntu-latest + runs-on: namespace-profile-endev timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 with: - shared-key: autofix + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise x -- aube install - run: "mise run render ::: lint-fix" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 87d94d99a..b65128e80 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,15 +21,18 @@ jobs: strategy: fail-fast: false matrix: - os: - - macos-latest - - ubuntu-latest - #- ubuntu-24.04-arm - runs-on: ${{ matrix.os }} + include: + - os: macos-latest + runner: nscloud-macos-sequoia-arm64-6x14 + - os: ubuntu-latest + runner: namespace-profile-endev + runs-on: ${{ matrix.runner }} timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise run build - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -37,11 +40,13 @@ jobs: name: hk-${{ matrix.os }} path: target/debug/hk build-windows: - runs-on: windows-latest + runs-on: nscloud-windows-2022-amd64-8x16 timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - name: Build run: cargo build --features git2/vendored-libgit2,git2/vendored-openssl - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -53,12 +58,12 @@ jobs: strategy: fail-fast: false matrix: - os: - - macos-latest - - ubuntu-latest - #- ubuntu-24.04-arm - #- windows-latest - runs-on: ${{ matrix.os }} + include: + - os: macos-latest + runner: nscloud-macos-sequoia-arm64-6x14 + - os: ubuntu-latest + runner: namespace-profile-endev + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -87,12 +92,12 @@ jobs: strategy: fail-fast: false matrix: - os: - - macos-latest - - ubuntu-latest - #- ubuntu-24.04-arm - #- windows-latest - runs-on: ${{ matrix.os }} + include: + - os: macos-latest + runner: nscloud-macos-sequoia-arm64-6x14 + - os: ubuntu-latest + runner: namespace-profile-endev + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -121,12 +126,12 @@ jobs: strategy: fail-fast: false matrix: - os: - - macos-latest - - ubuntu-latest - #- ubuntu-24.04-arm - #- windows-latest - runs-on: ${{ matrix.os }} + include: + - os: macos-latest + runner: nscloud-macos-sequoia-arm64-6x14 + - os: ubuntu-latest + runner: namespace-profile-endev + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -154,18 +159,20 @@ jobs: strategy: fail-fast: false matrix: - os: - - macos-latest - - ubuntu-latest - #- ubuntu-24.04-arm - #- windows-latest - runs-on: ${{ matrix.os }} + include: + - os: macos-latest + runner: nscloud-macos-sequoia-arm64-6x14 + - os: ubuntu-latest + runner: namespace-profile-endev + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise x -- aube install - name: mise run test:cargo @@ -173,20 +180,24 @@ jobs: - name: mise run lint run: mise run lint msrv: - runs-on: ubuntu-latest + runs-on: namespace-profile-endev timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise run msrv ci-windows: needs: build-windows - runs-on: windows-latest + runs-on: nscloud-windows-2022-amd64-8x16 timeout-minutes: 20 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: @@ -214,7 +225,7 @@ jobs: - ci-other - ci-windows - msrv - runs-on: ubuntu-latest + runs-on: namespace-profile-endev timeout-minutes: 1 if: always() steps: diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 79f5bfe47..bdc3e80a7 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -17,7 +17,7 @@ jobs: (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) - runs-on: ubuntu-latest + runs-on: namespace-profile-endev permissions: contents: read pull-requests: read diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9f38aae41..aa62d5aff 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -32,13 +32,15 @@ jobs: # Build job build: if: github.repository == 'jdx/hk' - runs-on: ubuntu-latest + runs-on: namespace-profile-endev steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Not needed if lastUpdated is not enabled - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - name: Setup Pages uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6 @@ -61,7 +63,7 @@ jobs: pages: write # to deploy to Pages id-token: write # to verify the deployment originates from an appropriate source needs: build - runs-on: ubuntu-latest + runs-on: namespace-profile-endev name: Deploy steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/pr-closer.yml b/.github/workflows/pr-closer.yml index 84c22b3b1..c7fb247eb 100644 --- a/.github/workflows/pr-closer.yml +++ b/.github/workflows/pr-closer.yml @@ -7,7 +7,7 @@ on: jobs: close-stale-prs: - runs-on: ubuntu-latest + runs-on: namespace-profile-endev permissions: pull-requests: write steps: diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index 7f380e83f..b160a4fa1 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -20,13 +20,15 @@ env: jobs: release-plz: if: github.repository == 'jdx/hk' - runs-on: ubuntu-latest + runs-on: namespace-profile-endev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 token: ${{ secrets.HK_GH_TOKEN }} - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 with: experimental: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56befefdf..d1130e3ff 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,37 +20,44 @@ env: jobs: build-binaries: - runs-on: ${{ matrix.os }} + runs-on: ${{ matrix.runner }} strategy: fail-fast: false matrix: include: - target: aarch64-apple-darwin os: macos-latest + runner: nscloud-macos-sequoia-arm64-6x14 build-tool: cargo - target: x86_64-unknown-linux-musl os: ubuntu-latest + runner: namespace-profile-endev build-tool: cross - target: aarch64-unknown-linux-musl os: ubuntu-latest + runner: namespace-profile-endev build-tool: cross - target: x86_64-unknown-linux-gnu os: ubuntu-latest + runner: namespace-profile-endev build-tool: cross - target: aarch64-unknown-linux-gnu os: ubuntu-latest + runner: namespace-profile-endev build-tool: cross - target: x86_64-pc-windows-msvc os: windows-latest + runner: nscloud-windows-2022-amd64-8x16 build-tool: cargo - target: aarch64-pc-windows-msvc os: windows-latest + runner: nscloud-windows-2022-amd64-8x16 build-tool: cargo steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 with: - shared-key: rust-${{ matrix.target }} + cache: rust - if: matrix.os == 'macos-latest' uses: apple-actions/import-codesign-certs@fe74d46e82474f87e1ba79832ad28a4013d0e33a # v6 with: @@ -78,7 +85,7 @@ jobs: retention-days: 1 build-pkl: - runs-on: ubuntu-latest + runs-on: namespace-profile-endev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 @@ -106,7 +113,7 @@ jobs: create-release: needs: [build-binaries, build-pkl] - runs-on: ubuntu-latest + runs-on: namespace-profile-endev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -145,10 +152,12 @@ jobs: publish-crate: needs: [create-release] if: github.repository == 'jdx/hk' - runs-on: ubuntu-latest + runs-on: namespace-profile-endev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + - uses: namespacelabs/nscloud-cache-action@v1 + with: + cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: cargo publish env: @@ -156,7 +165,7 @@ jobs: enhance-release: needs: [create-release] - runs-on: ubuntu-latest + runs-on: namespace-profile-endev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: diff --git a/.github/workflows/semantic-pr-lint.yml b/.github/workflows/semantic-pr-lint.yml index 9740186ba..7d120d218 100644 --- a/.github/workflows/semantic-pr-lint.yml +++ b/.github/workflows/semantic-pr-lint.yml @@ -10,7 +10,7 @@ on: jobs: main: name: Validate PR title - runs-on: ubuntu-latest + runs-on: namespace-profile-endev permissions: pull-requests: read steps: From 5ba13731c9755de2a70246f88ea962b0af717036 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 08:19:35 -0500 Subject: [PATCH 02/10] ci: pin nscloud-cache-action to commit SHA Match the rest of the repo's practice of pinning third-party actions to immutable commit SHAs rather than mutable version tags. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/autofix.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/docs.yml | 2 +- .github/workflows/release-plz.yml | 2 +- .github/workflows/release.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index c5b150f91..b7aa896cd 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -22,7 +22,7 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b65128e80..8221197cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 @@ -44,7 +44,7 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - name: Build @@ -170,7 +170,7 @@ jobs: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 @@ -184,7 +184,7 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 @@ -195,7 +195,7 @@ jobs: timeout-minutes: 20 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index aa62d5aff..c5f673857 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -38,7 +38,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Not needed if lastUpdated is not enabled - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index b160a4fa1..16c17533d 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -26,7 +26,7 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.HK_GH_TOKEN }} - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d1130e3ff..88695464f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -55,7 +55,7 @@ jobs: build-tool: cargo steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - if: matrix.os == 'macos-latest' @@ -155,7 +155,7 @@ jobs: runs-on: namespace-profile-endev steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 From 531a9ee818caab08170b9fab05b249f5a3cb772a Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 08:22:12 -0500 Subject: [PATCH 03/10] ci: attach cache volume to all macOS and Windows nscloud runners The bare nscloud labels don't include a cache volume, so the nscloud-cache-action step failed with "requires a cache volume to be configured". The Linux jobs run on namespace-profile-endev which has cache attached at the profile level; macOS and Windows need the -with-cache suffix on the label itself. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 14 +++++++------- .github/workflows/release.yml | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8221197cb..22a2edd01 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14 + runner: nscloud-macos-sequoia-arm64-6x14-with-cache - os: ubuntu-latest runner: namespace-profile-endev runs-on: ${{ matrix.runner }} @@ -40,7 +40,7 @@ jobs: name: hk-${{ matrix.os }} path: target/debug/hk build-windows: - runs-on: nscloud-windows-2022-amd64-8x16 + runs-on: nscloud-windows-2022-amd64-8x16-with-cache timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -60,7 +60,7 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14 + runner: nscloud-macos-sequoia-arm64-6x14-with-cache - os: ubuntu-latest runner: namespace-profile-endev runs-on: ${{ matrix.runner }} @@ -94,7 +94,7 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14 + runner: nscloud-macos-sequoia-arm64-6x14-with-cache - os: ubuntu-latest runner: namespace-profile-endev runs-on: ${{ matrix.runner }} @@ -128,7 +128,7 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14 + runner: nscloud-macos-sequoia-arm64-6x14-with-cache - os: ubuntu-latest runner: namespace-profile-endev runs-on: ${{ matrix.runner }} @@ -161,7 +161,7 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14 + runner: nscloud-macos-sequoia-arm64-6x14-with-cache - os: ubuntu-latest runner: namespace-profile-endev runs-on: ${{ matrix.runner }} @@ -191,7 +191,7 @@ jobs: - run: mise run msrv ci-windows: needs: build-windows - runs-on: nscloud-windows-2022-amd64-8x16 + runs-on: nscloud-windows-2022-amd64-8x16-with-cache timeout-minutes: 20 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88695464f..0be8e68e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,7 +27,7 @@ jobs: include: - target: aarch64-apple-darwin os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14 + runner: nscloud-macos-sequoia-arm64-6x14-with-cache build-tool: cargo - target: x86_64-unknown-linux-musl os: ubuntu-latest @@ -47,11 +47,11 @@ jobs: build-tool: cross - target: x86_64-pc-windows-msvc os: windows-latest - runner: nscloud-windows-2022-amd64-8x16 + runner: nscloud-windows-2022-amd64-8x16-with-cache build-tool: cargo - target: aarch64-pc-windows-msvc os: windows-latest - runner: nscloud-windows-2022-amd64-8x16 + runner: nscloud-windows-2022-amd64-8x16-with-cache build-tool: cargo steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 From 75c1351af8f36b2d6e2283bd7bbeb44aab5520b3 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 08:45:38 -0500 Subject: [PATCH 04/10] ci: use per-OS namespace profiles and add fork PR fallback Use the per-OS namespace profiles configured in the dashboard: - namespace-profile-endev-linux-amd64 - namespace-profile-endev-macos-arm64 Each profile has its cache volume attached, so the bare nscloud labels (which lacked cache) are no longer needed. Drop -with-cache suffix variants, which didn't actually attach cache on macOS. Windows reverts to windows-latest (no namespace profile exists) and uses Swatinem/rust-cache. Same for windows targets in the release matrix. Add a fork-PR fallback to ci.yml and autofix.yml: PRs from forks run on github-hosted runners with Swatinem/rust-cache instead of namespace profiles. This avoids needing to authorize forks on the namespace org and prevents cost burn from spam PRs. Add .github/actionlint.yaml whitelisting the new profile labels so 'mise run lint' and the autofix workflow stop flagging them as unknown self-hosted runner labels. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/actionlint.yaml | 5 +++ .github/workflows/autofix.yml | 9 +++- .github/workflows/ci.yml | 61 ++++++++++++++------------ .github/workflows/claude.yml | 2 +- .github/workflows/docs.yml | 4 +- .github/workflows/pr-closer.yml | 2 +- .github/workflows/release-plz.yml | 2 +- .github/workflows/release.yml | 29 +++++++----- .github/workflows/semantic-pr-lint.yml | 2 +- 9 files changed, 68 insertions(+), 48 deletions(-) create mode 100644 .github/actionlint.yaml diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 000000000..31c021b9b --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,5 @@ +self-hosted-runner: + labels: + - namespace-profile-endev-linux-amd64 + - namespace-profile-endev-linux-arm64 + - namespace-profile-endev-macos-arm64 diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index b7aa896cd..6bf5ea5f0 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -18,13 +18,18 @@ env: jobs: autofix: if: github.actor != 'renovate[bot]' && github.actor != 'mend[bot]' - runs-on: namespace-profile-endev + runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'namespace-profile-endev-linux-amd64' }} timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - if: ${{ !github.event.pull_request.head.repo.fork }} + uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust + - if: ${{ github.event.pull_request.head.repo.fork }} + uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + shared-key: autofix - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise x -- aube install - run: "mise run render ::: lint-fix" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 22a2edd01..19c46de69 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,16 +23,19 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14-with-cache + runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest - runner: namespace-profile-endev - runs-on: ${{ matrix.runner }} + runner: namespace-profile-endev-linux-amd64 + runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - if: ${{ !github.event.pull_request.head.repo.fork }} + uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust + - if: ${{ github.event.pull_request.head.repo.fork }} + uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise run build - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -40,13 +43,11 @@ jobs: name: hk-${{ matrix.os }} path: target/debug/hk build-windows: - runs-on: nscloud-windows-2022-amd64-8x16-with-cache + runs-on: windows-latest timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 - with: - cache: rust + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Build run: cargo build --features git2/vendored-libgit2,git2/vendored-openssl - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -60,10 +61,10 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14-with-cache + runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest - runner: namespace-profile-endev - runs-on: ${{ matrix.runner }} + runner: namespace-profile-endev-linux-amd64 + runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -94,10 +95,10 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14-with-cache + runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest - runner: namespace-profile-endev - runs-on: ${{ matrix.runner }} + runner: namespace-profile-endev-linux-amd64 + runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -128,10 +129,10 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14-with-cache + runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest - runner: namespace-profile-endev - runs-on: ${{ matrix.runner }} + runner: namespace-profile-endev-linux-amd64 + runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -161,18 +162,21 @@ jobs: matrix: include: - os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14-with-cache + runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest - runner: namespace-profile-endev - runs-on: ${{ matrix.runner }} + runner: namespace-profile-endev-linux-amd64 + runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - if: ${{ !github.event.pull_request.head.repo.fork }} + uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust + - if: ${{ github.event.pull_request.head.repo.fork }} + uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise x -- aube install - name: mise run test:cargo @@ -180,24 +184,25 @@ jobs: - name: mise run lint run: mise run lint msrv: - runs-on: namespace-profile-endev + runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'namespace-profile-endev-linux-amd64' }} timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - if: ${{ !github.event.pull_request.head.repo.fork }} + uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust + - if: ${{ github.event.pull_request.head.repo.fork }} + uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: mise run msrv ci-windows: needs: build-windows - runs-on: nscloud-windows-2022-amd64-8x16-with-cache + runs-on: windows-latest timeout-minutes: 20 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 - with: - cache: rust + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: @@ -225,7 +230,7 @@ jobs: - ci-other - ci-windows - msrv - runs-on: namespace-profile-endev + runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'namespace-profile-endev-linux-amd64' }} timeout-minutes: 1 if: always() steps: diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index bdc3e80a7..94693d04c 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -17,7 +17,7 @@ jobs: (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 permissions: contents: read pull-requests: read diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c5f673857..137e6ee25 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -32,7 +32,7 @@ jobs: # Build job build: if: github.repository == 'jdx/hk' - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -63,7 +63,7 @@ jobs: pages: write # to deploy to Pages id-token: write # to verify the deployment originates from an appropriate source needs: build - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 name: Deploy steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/pr-closer.yml b/.github/workflows/pr-closer.yml index c7fb247eb..5c3984927 100644 --- a/.github/workflows/pr-closer.yml +++ b/.github/workflows/pr-closer.yml @@ -7,7 +7,7 @@ on: jobs: close-stale-prs: - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 permissions: pull-requests: write steps: diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index 16c17533d..4aa1e170d 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -20,7 +20,7 @@ env: jobs: release-plz: if: github.repository == 'jdx/hk' - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0be8e68e8..95b26a71c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,37 +27,42 @@ jobs: include: - target: aarch64-apple-darwin os: macos-latest - runner: nscloud-macos-sequoia-arm64-6x14-with-cache + runner: namespace-profile-endev-macos-arm64 build-tool: cargo - target: x86_64-unknown-linux-musl os: ubuntu-latest - runner: namespace-profile-endev + runner: namespace-profile-endev-linux-amd64 build-tool: cross - target: aarch64-unknown-linux-musl os: ubuntu-latest - runner: namespace-profile-endev + runner: namespace-profile-endev-linux-amd64 build-tool: cross - target: x86_64-unknown-linux-gnu os: ubuntu-latest - runner: namespace-profile-endev + runner: namespace-profile-endev-linux-amd64 build-tool: cross - target: aarch64-unknown-linux-gnu os: ubuntu-latest - runner: namespace-profile-endev + runner: namespace-profile-endev-linux-amd64 build-tool: cross - target: x86_64-pc-windows-msvc os: windows-latest - runner: nscloud-windows-2022-amd64-8x16-with-cache + runner: windows-latest build-tool: cargo - target: aarch64-pc-windows-msvc os: windows-latest - runner: nscloud-windows-2022-amd64-8x16-with-cache + runner: windows-latest build-tool: cargo steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - if: matrix.os != 'windows-latest' + uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust + - if: matrix.os == 'windows-latest' + uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 + with: + shared-key: rust-${{ matrix.target }} - if: matrix.os == 'macos-latest' uses: apple-actions/import-codesign-certs@fe74d46e82474f87e1ba79832ad28a4013d0e33a # v6 with: @@ -85,7 +90,7 @@ jobs: retention-days: 1 build-pkl: - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 @@ -113,7 +118,7 @@ jobs: create-release: needs: [build-binaries, build-pkl] - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -152,7 +157,7 @@ jobs: publish-crate: needs: [create-release] if: github.repository == 'jdx/hk' - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 @@ -165,7 +170,7 @@ jobs: enhance-release: needs: [create-release] - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: diff --git a/.github/workflows/semantic-pr-lint.yml b/.github/workflows/semantic-pr-lint.yml index 7d120d218..6491f0783 100644 --- a/.github/workflows/semantic-pr-lint.yml +++ b/.github/workflows/semantic-pr-lint.yml @@ -10,7 +10,7 @@ on: jobs: main: name: Validate PR title - runs-on: namespace-profile-endev + runs-on: namespace-profile-endev-linux-amd64 permissions: pull-requests: read steps: From 3cf9f6cd2ac4150b0c091ff4314e9136413120c9 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 08:58:19 -0500 Subject: [PATCH 05/10] test: switch shellcheck stub from ubi backend to default registry mise's ubi backend is deprecated and on the namespace runner image fails to locate the shellcheck executable inside the downloaded package. Use the bare 'shellcheck' tool name so mise resolves it through its default registry (aqua), matching how other stubs in this directory are wired. Co-Authored-By: Claude Opus 4.7 (1M context) --- test/builtin_tool_stubs/shellcheck | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/builtin_tool_stubs/shellcheck b/test/builtin_tool_stubs/shellcheck index 9fd4ca9a0..c694021e9 100755 --- a/test/builtin_tool_stubs/shellcheck +++ b/test/builtin_tool_stubs/shellcheck @@ -1,4 +1,4 @@ #!/usr/bin/env -S mise tool-stub version = "0.11.0" -tool = "ubi:koalaman/shellcheck" +tool = "shellcheck" From 570802c63e6393725b8f05c0988979dcc6df9751 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:12:40 -0500 Subject: [PATCH 06/10] ci: scope mise-action cache by runner.environment Workaround for jdx/mise-action#456: the action's default cache key was os+arch only, so github-hosted and namespace caches collide and restoring one onto the other corrupts tool installs (e.g. swiftlint SIGILL on Linux, "no executable named X" across backends on macOS). Set cache_key_prefix to include runner.environment ("github-hosted" or "self-hosted") so fork-PR (github-hosted) and main/non-fork (namespace) runs use separate cache pools. Drop once mise-action#456 lands and we re-pin to the new version. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/autofix.yml | 2 ++ .github/workflows/ci.yml | 14 ++++++++++++++ .github/workflows/docs.yml | 2 ++ .github/workflows/release-plz.yml | 1 + .github/workflows/release.yml | 8 ++++++++ 5 files changed, 27 insertions(+) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 6bf5ea5f0..95b9cbdca 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -31,6 +31,8 @@ jobs: with: shared-key: autofix - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - run: mise x -- aube install - run: "mise run render ::: lint-fix" - uses: autofix-ci/action@7a166d7532b277f34e16238930461bf77f9d7ed8 # v1.3.3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 19c46de69..4ae566357 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,6 +37,8 @@ jobs: - if: ${{ github.event.pull_request.head.repo.fork }} uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - run: mise run build - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: @@ -71,6 +73,8 @@ jobs: if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1 with: toolchain: nightly @@ -105,6 +109,8 @@ jobs: if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1 with: toolchain: nightly @@ -139,6 +145,8 @@ jobs: if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1 with: toolchain: nightly @@ -178,6 +186,8 @@ jobs: - if: ${{ github.event.pull_request.head.repo.fork }} uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - run: mise x -- aube install - name: mise run test:cargo run: mise run test:cargo @@ -195,6 +205,8 @@ jobs: - if: ${{ github.event.pull_request.head.repo.fork }} uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - run: mise run msrv ci-windows: needs: build-windows @@ -204,6 +216,8 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: hk-windows-latest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 137e6ee25..fdd4126f0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -42,6 +42,8 @@ jobs: with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - name: Setup Pages uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6 - name: Build with VitePress diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index 4aa1e170d..e9c1035d9 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -31,6 +31,7 @@ jobs: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 with: + cache_key_prefix: mise-v1-${{ runner.environment }} experimental: true - run: mise trust --all - run: mise run release-plz diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 95b26a71c..916b123e4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -94,6 +94,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - name: Package Pkl run: | if [[ -n "${{ inputs.version }}" ]]; then @@ -124,6 +126,8 @@ jobs: with: fetch-depth: 0 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - name: Extract release notes from CHANGELOG.md run: | awk '/^## \[/{if(found) exit; found=1} found{print}' CHANGELOG.md > release-notes.md @@ -164,6 +168,8 @@ jobs: with: cache: rust - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - run: cargo publish env: CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} @@ -176,6 +182,8 @@ jobs: with: fetch-depth: 0 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache_key_prefix: mise-v1-${{ runner.environment }} - name: Enhance release notes with communique run: | if [[ -n "${{ inputs.version }}" ]]; then From 641502d8b41ab3a3a939d2f8c19efee6890cef75 Mon Sep 17 00:00:00 2001 From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com> Date: Thu, 30 Apr 2026 14:17:48 +0000 Subject: [PATCH 07/10] [autofix.ci] apply automated fixes --- mise.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mise.lock b/mise.lock index d7155bdbc..a35269689 100644 --- a/mise.lock +++ b/mise.lock @@ -1,4 +1,4 @@ -# @generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html +# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html [[tools.actionlint]] version = "1.7.7" From 6a40c5dd8fbeb9f2b25727ed1e56e4ea4bfefd5a Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:20:48 -0500 Subject: [PATCH 08/10] ci: bump mise-action to runner-image-aware cache key Re-pin jdx/mise-action to b287efd (post jdx/mise-action#456 merge), which builds runner.environment-style discrimination into the cache key automatically. Drop the cache_key_prefix workaround everywhere except release-plz.yml, where the with: block keeps experimental: true. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/autofix.yml | 4 +--- .github/workflows/ci.yml | 28 +++++++--------------------- .github/workflows/docs.yml | 4 +--- .github/workflows/release-plz.yml | 3 +-- .github/workflows/release.yml | 16 ++++------------ 5 files changed, 14 insertions(+), 41 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 95b9cbdca..75135a08b 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -30,9 +30,7 @@ jobs: uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: shared-key: autofix - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise x -- aube install - run: "mise run render ::: lint-fix" - uses: autofix-ci/action@7a166d7532b277f34e16238930461bf77f9d7ed8 # v1.3.3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4ae566357..b0f2f5396 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,9 +36,7 @@ jobs: cache: rust - if: ${{ github.event.pull_request.head.repo.fork }} uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise run build - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: @@ -72,9 +70,7 @@ jobs: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1 with: toolchain: nightly @@ -108,9 +104,7 @@ jobs: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1 with: toolchain: nightly @@ -144,9 +138,7 @@ jobs: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1 with: toolchain: nightly @@ -185,9 +177,7 @@ jobs: cache: rust - if: ${{ github.event.pull_request.head.repo.fork }} uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise x -- aube install - name: mise run test:cargo run: mise run test:cargo @@ -204,9 +194,7 @@ jobs: cache: rust - if: ${{ github.event.pull_request.head.repo.fork }} uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise run msrv ci-windows: needs: build-windows @@ -215,9 +203,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: hk-windows-latest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index fdd4126f0..69ea7a3be 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -41,9 +41,7 @@ jobs: - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - name: Setup Pages uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6 - name: Build with VitePress diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index e9c1035d9..68513c68a 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -29,9 +29,8 @@ jobs: - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 with: - cache_key_prefix: mise-v1-${{ runner.environment }} experimental: true - run: mise trust --all - run: mise run release-plz diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 916b123e4..184e7c2be 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,9 +93,7 @@ jobs: runs-on: namespace-profile-endev-linux-amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - name: Package Pkl run: | if [[ -n "${{ inputs.version }}" ]]; then @@ -125,9 +123,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - name: Extract release notes from CHANGELOG.md run: | awk '/^## \[/{if(found) exit; found=1} found{print}' CHANGELOG.md > release-notes.md @@ -167,9 +163,7 @@ jobs: - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: cargo publish env: CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} @@ -181,9 +175,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - with: - cache_key_prefix: mise-v1-${{ runner.environment }} + - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - name: Enhance release notes with communique run: | if [[ -n "${{ inputs.version }}" ]]; then From 60de25a09a31a0c2504e2138e2577b3fc232c949 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:43:56 -0500 Subject: [PATCH 09/10] ci: pin ci-nogit to github-hosted runners builtins_tests.bats installs ~50 tools via mise under 16-way bats parallelism. On namespace runners this surfaces several mise issues: many backends report "does not have an executable named X" on fresh installs (aqua, github, npm, pipx, gem all affected), and asdf:swiftlint binaries SIGILL on namespace's linux image. The same test passes consistently on github-hosted runners. Run this single job on github-hosted runners until the mise + namespace incompatibility is investigated. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0f2f5396..c17ba26d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -127,12 +127,13 @@ jobs: strategy: fail-fast: false matrix: - include: - - os: macos-latest - runner: namespace-profile-endev-macos-arm64 - - os: ubuntu-latest - runner: namespace-profile-endev-linux-amd64 - runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} + os: [macos-latest, ubuntu-latest] + # Pinned to github-hosted runners: builtins_tests.bats installs ~50 + # tools via mise under 16-way parallelism, which surfaces a + # mise + namespace-runner incompatibility (many backends report + # "does not have an executable named X" on fresh installs, and + # asdf:swiftlint binaries SIGILL on namespace's linux image). + runs-on: ${{ matrix.os }} timeout-minutes: 20 steps: - run: brew install parallel From 346150a3abc5564f5a45aa45c68830698416d0d0 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Thu, 30 Apr 2026 09:54:16 -0500 Subject: [PATCH 10/10] ci: drop fork PR fallback, use namespace runners for all PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Forks running on the upstream repo's workflow can rewrite the runs-on labels anyway (pull_request events use the fork's HEAD workflow file), so the conditional fallback to github-hosted on fork PRs didn't actually constrain what an attacker could do — just complicated the YAML. Drop the conditional and use namespace profiles uniformly. Token semantics are unchanged: fork PRs still get a read-only GITHUB_TOKEN with no secrets regardless of runner provider, since GitHub Actions controls token issuance, not the runner. ci-nogit stays pinned to github-hosted for an unrelated reason (mise + namespace tool-install incompatibility under high parallelism in builtins_tests.bats). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/autofix.yml | 9 ++------- .github/workflows/ci.yml | 27 +++++++++------------------ 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 75135a08b..17dc137fa 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -18,18 +18,13 @@ env: jobs: autofix: if: github.actor != 'renovate[bot]' && github.actor != 'mend[bot]' - runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'namespace-profile-endev-linux-amd64' }} + runs-on: namespace-profile-endev-linux-amd64 timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - if: ${{ !github.event.pull_request.head.repo.fork }} - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - if: ${{ github.event.pull_request.head.repo.fork }} - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - with: - shared-key: autofix - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise x -- aube install - run: "mise run render ::: lint-fix" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c17ba26d8..3852aa87d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,16 +26,13 @@ jobs: runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest runner: namespace-profile-endev-linux-amd64 - runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} + runs-on: ${{ matrix.runner }} timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - if: ${{ !github.event.pull_request.head.repo.fork }} - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - if: ${{ github.event.pull_request.head.repo.fork }} - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise run build - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -64,7 +61,7 @@ jobs: runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest runner: namespace-profile-endev-linux-amd64 - runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -98,7 +95,7 @@ jobs: runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest runner: namespace-profile-endev-linux-amd64 - runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel @@ -166,18 +163,15 @@ jobs: runner: namespace-profile-endev-macos-arm64 - os: ubuntu-latest runner: namespace-profile-endev-linux-amd64 - runs-on: ${{ github.event.pull_request.head.repo.fork && matrix.os || matrix.runner }} + runs-on: ${{ matrix.runner }} timeout-minutes: 20 steps: - run: brew install parallel if: ${{ matrix.os == 'macos-latest' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - if: ${{ !github.event.pull_request.head.repo.fork }} - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - if: ${{ github.event.pull_request.head.repo.fork }} - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise x -- aube install - name: mise run test:cargo @@ -185,16 +179,13 @@ jobs: - name: mise run lint run: mise run lint msrv: - runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'namespace-profile-endev-linux-amd64' }} + runs-on: namespace-profile-endev-linux-amd64 timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - if: ${{ !github.event.pull_request.head.repo.fork }} - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 + - uses: namespacelabs/nscloud-cache-action@15799a6b54e5765f85b2aac25b3f0df43ed571c0 # v1 with: cache: rust - - if: ${{ github.event.pull_request.head.repo.fork }} - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - uses: jdx/mise-action@b287efda3dc5f4f3c328507653b6617da783ff84 # v4 - run: mise run msrv ci-windows: @@ -231,7 +222,7 @@ jobs: - ci-other - ci-windows - msrv - runs-on: ${{ github.event.pull_request.head.repo.fork && 'ubuntu-latest' || 'namespace-profile-endev-linux-amd64' }} + runs-on: namespace-profile-endev-linux-amd64 timeout-minutes: 1 if: always() steps: