From 73763f9864332e98a749e92a35ac6dbc8c82fa26 Mon Sep 17 00:00:00 2001 From: Will Sarg <12886992+willsarg@users.noreply.github.com> Date: Mon, 16 Feb 2026 16:40:13 -0500 Subject: [PATCH] chore(workflows): complete migration to Blacksmith cloud runners (#435) * chore(workflows): complete migration to Blacksmith cloud runners Migrate remaining workflows from self-hosted axecap runners to Blacksmith: - docker.yml: publish job - release.yml: publish job - security.yml: audit and deny jobs (conditional on push events) This completes the transition away from self-hosted infrastructure. Axecap runner registrations (IDs 21, 22) have been removed. All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency. * Merge branch 'main' into selfhost-blacksmith --- .github/workflows/docker.yml | 2 +- .github/workflows/release.yml | 188 ++++++++++++++++----------------- .github/workflows/security.yml | 4 +- 3 files changed, 97 insertions(+), 97 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index bb88fa1..63ea2ad 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -61,7 +61,7 @@ jobs: publish: name: Build and Push Docker Image if: github.event_name == 'push' - runs-on: [self-hosted, Linux, X64, lxc-ci] + runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 25 permissions: contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 716b430..e8c3cd3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,117 +1,117 @@ name: Release on: - push: - tags: ["v*"] + push: + tags: ["v*"] permissions: - contents: write - id-token: write # Required for cosign keyless signing via OIDC + contents: write + id-token: write # Required for cosign keyless signing via OIDC env: - CARGO_TERM_COLOR: always + CARGO_TERM_COLOR: always jobs: - build-release: - name: Build ${{ matrix.target }} - runs-on: ${{ matrix.os }} - timeout-minutes: 40 - strategy: - fail-fast: false - matrix: - include: - - os: ubuntu-latest - target: blacksmith-2vcpu-ubuntu-2404 - artifact: zeroclaw - - os: macos-latest - target: x86_64-apple-darwin - artifact: zeroclaw - - os: macos-latest - target: aarch64-apple-darwin - artifact: zeroclaw - - os: windows-latest - target: x86_64-pc-windows-msvc - artifact: zeroclaw.exe + build-release: + name: Build ${{ matrix.target }} + runs-on: ${{ matrix.os }} + timeout-minutes: 40 + strategy: + fail-fast: false + matrix: + include: + - os: ubuntu-latest + target: blacksmith-2vcpu-ubuntu-2404 + artifact: zeroclaw + - os: macos-latest + target: x86_64-apple-darwin + artifact: zeroclaw + - os: macos-latest + target: aarch64-apple-darwin + artifact: zeroclaw + - os: windows-latest + target: x86_64-pc-windows-msvc + artifact: zeroclaw.exe - steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable - with: - targets: ${{ matrix.target }} + - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable + with: + targets: ${{ matrix.target }} - - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2 + - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2 - - name: Build release - run: cargo build --release --locked --target ${{ matrix.target }} + - name: Build release + run: cargo build --release --locked --target ${{ matrix.target }} - - name: Check binary size (Unix) - if: runner.os != 'Windows' - run: | - SIZE=$(stat -f%z target/${{ matrix.target }}/release/${{ matrix.artifact }} 2>/dev/null || stat -c%s target/${{ matrix.target }}/release/${{ matrix.artifact }}) - echo "Binary size: $((SIZE / 1024 / 1024))MB ($SIZE bytes)" - if [ "$SIZE" -gt 5242880 ]; then - echo "::warning::Binary exceeds 5MB target" - fi + - name: Check binary size (Unix) + if: runner.os != 'Windows' + run: | + SIZE=$(stat -f%z target/${{ matrix.target }}/release/${{ matrix.artifact }} 2>/dev/null || stat -c%s target/${{ matrix.target }}/release/${{ matrix.artifact }}) + echo "Binary size: $((SIZE / 1024 / 1024))MB ($SIZE bytes)" + if [ "$SIZE" -gt 5242880 ]; then + echo "::warning::Binary exceeds 5MB target" + fi - - name: Package (Unix) - if: runner.os != 'Windows' - run: | - cd target/${{ matrix.target }}/release - tar czf ../../../zeroclaw-${{ matrix.target }}.tar.gz ${{ matrix.artifact }} + - name: Package (Unix) + if: runner.os != 'Windows' + run: | + cd target/${{ matrix.target }}/release + tar czf ../../../zeroclaw-${{ matrix.target }}.tar.gz ${{ matrix.artifact }} - - name: Package (Windows) - if: runner.os == 'Windows' - run: | - cd target/${{ matrix.target }}/release - 7z a ../../../zeroclaw-${{ matrix.target }}.zip ${{ matrix.artifact }} + - name: Package (Windows) + if: runner.os == 'Windows' + run: | + cd target/${{ matrix.target }}/release + 7z a ../../../zeroclaw-${{ matrix.target }}.zip ${{ matrix.artifact }} - - name: Upload artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 - with: - name: zeroclaw-${{ matrix.target }} - path: zeroclaw-${{ matrix.target }}.* + - name: Upload artifact + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + with: + name: zeroclaw-${{ matrix.target }} + path: zeroclaw-${{ matrix.target }}.* - publish: - name: Publish Release - needs: build-release - runs-on: [self-hosted, Linux, X64, lxc-ci] - timeout-minutes: 15 - steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + publish: + name: Publish Release + needs: build-release + runs-on: blacksmith-2vcpu-ubuntu-2404 + timeout-minutes: 15 + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Download all artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 - with: - path: artifacts + - name: Download all artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + path: artifacts - - name: Generate SHA256 checksums - run: | - cd artifacts - find . -type f \( -name '*.tar.gz' -o -name '*.zip' \) -exec sha256sum {} + | sed 's| \./[^/]*/| |' > SHA256SUMS - echo "Generated checksums:" - cat SHA256SUMS + - name: Generate SHA256 checksums + run: | + cd artifacts + find . -type f \( -name '*.tar.gz' -o -name '*.zip' \) -exec sha256sum {} + | sed 's| \./[^/]*/| |' > SHA256SUMS + echo "Generated checksums:" + cat SHA256SUMS - - name: Install cosign - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 + - name: Install cosign + uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 - - name: Sign artifacts with cosign (keyless) - run: | - for file in artifacts/**/*; do - [ -f "$file" ] || continue - cosign sign-blob --yes \ - --oidc-issuer=https://token.actions.githubusercontent.com \ - --output-signature="${file}.sig" \ - --output-certificate="${file}.pem" \ - "$file" - done + - name: Sign artifacts with cosign (keyless) + run: | + for file in artifacts/**/*; do + [ -f "$file" ] || continue + cosign sign-blob --yes \ + --oidc-issuer=https://token.actions.githubusercontent.com \ + --output-signature="${file}.sig" \ + --output-certificate="${file}.pem" \ + "$file" + done - - name: Create GitHub Release - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 - with: - generate_release_notes: true - files: | - artifacts/**/* - artifacts/SHA256SUMS - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create GitHub Release + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 + with: + generate_release_notes: true + files: | + artifacts/**/* + artifacts/SHA256SUMS + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index c3abc10..cac7ec4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,7 +21,7 @@ env: jobs: audit: name: Security Audit - runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }} + runs-on: ${{ github.event_name != 'pull_request' && 'blacksmith-2vcpu-ubuntu-2404' || 'ubuntu-latest' }} timeout-minutes: 20 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 @@ -37,7 +37,7 @@ jobs: deny: name: License & Supply Chain - runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }} + runs-on: ${{ github.event_name != 'pull_request' && 'blacksmith-2vcpu-ubuntu-2404' || 'ubuntu-latest' }} timeout-minutes: 20 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4