fix: add disk space cleanup step for Ubuntu runners

[thomhurst]

Summary

• Adds a disk space cleanup step at the start of the .NET workflow for Ubuntu runners
• Removes unused pre-installed software (Android SDK, pre-installed .NET, Haskell) to free ~15-25GB
• Fixes disk space exhaustion issue seen in CI (e.g., chore(deps): update dependency microsoft.entityframeworkcore to 10.0.2 #4373 dependency update)

Context

The ubuntu-latest runner was failing with:

No space left on device: '/home/runner/actions-runner/cached/_diag/Worker_*.log'

Test plan

• Verify the workflow runs successfully on ubuntu-latest without disk space errors

🤖 Generated with Claude Code

[thomhurst]

Summary

Adds disk space cleanup step to GitHub Actions workflow for Ubuntu runners to prevent out-of-space failures.

Critical Issues

Using unpinned @main version of third-party action

In .github/workflows/dotnet.yml:31:

uses: jlumbroso/free-disk-space@main

Security Risk: Using @main means every workflow run pulls the latest code, which:

• Could introduce malicious code if the upstream repo is compromised
• Could break CI if the action changes incompatibly
• Violates GitHub security best practices

Required Fix: Pin to a specific commit SHA or version tag:

# Use a pinned commit SHA (recommended for security)
uses: jlumbroso/free-disk-space@54081f138730dfc15788a16edb5751d3f3f8e09c # v1.3.1

# Or use a version tag (easier to update but slightly less secure)
uses: jlumbroso/[email protected]

Reference: GitHub Actions Security Hardening

Suggestions

None - the approach is sound for addressing disk space issues on Ubuntu runners. The configuration choices (keeping tool-cache and large-packages, removing Android/Haskell/.NET) seem reasonable for TUnit's needs.

Verdict

⚠️ REQUEST CHANGES - Must pin the action version for security