ci: migrate to GitHub-hosted runners + attest release builds#2
Merged
Conversation
Move CI and Release off the self-hosted fleet (homeserver-pool ARC pool,
the Windows VM, and the M2 Max macOS runner) onto GitHub-hosted runners,
and attach build-provenance attestations to every release archive.
Runner migration:
- ci.yml `check`: homeserver-pool -> ubuntu-latest (container parity kept:
still runs inside ghcr.io/twowells/rust-ci:latest).
- release.yml `verify` / `publish-crate` / `release`: homeserver-pool ->
ubuntu-latest (publish-crate keeps the rust-ci container; crates.io
Trusted Publishing OIDC is unchanged on hosted).
- release.yml `build` matrix:
Linux homeserver-pool -> ubuntu-latest (keeps rust-ci container)
Windows [self-hosted,windows] -> windows-latest
macOS [self-hosted,macos] -> macos-14 (Apple Silicon)
- Windows `Package (zip)` keeps `shell: powershell` — windows-latest ships
Windows PowerShell 5.1 with Compress-Archive built in.
- Header/inline comments updated to drop the ARC/VM/M2 Max provisioning
notes now that the runners are hosted.
Build-provenance attestation (release.yml):
- Add `attestations: write` to top-level permissions (id-token: write was
already present for crates.io OIDC and is reused for provenance signing).
- In the `release` job, sign the archives with
actions/attest-build-provenance@v4 between download-artifact and
action-gh-release. Globs cover the Linux/macOS tar.gz and Windows zip;
Lattice ships no .sha256 sidecars, so they match exactly the archives.
No source, Makefile, crates.io publishing, version-verify, or artifact-
naming changes; no pull_request trigger (tracked separately).
Claude-Session: https://claude.ai/code/session_01U5qTPzFxSPun9VccwbLcCy
m-wells
force-pushed
the
chore/migrate-hosted-runners
branch
from
dc85765 to
10c0f65
Compare
The four inline.rs and ~8 block.rs anti-quadratic guards assert per-thread CPU time under a fixed bound. Those bounds (inline 5s, block 10s) were tuned on the fast self-hosted runner; GitHub-hosted runners are slower per core, so the dollar-run guard hit 5.8s and tripped the 5s inline bound on hosted CI. Raise INLINE_SLOW_BOUND 5s->20s and SLOW_BOUND 10s->30s. Genuine quadratic blowup is orders of magnitude worse (minutes), so the guards still catch it; the looser bound just survives slower CI hardware without flaking. Claude-Session: https://claude.ai/code/session_01U5qTPzFxSPun9VccwbLcCy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Migrate CI and Release off the self-hosted runner fleet onto GitHub-hosted
runners, and attach build-provenance attestations to every release archive.
This is the Lattice leg of the homelab self-hosted-runner decommission
(pkgbuilds and Themis already migrated).
Runner migration
ci.ymlcheckhomeserver-poolubuntu-latest(keepsrust-cicontainer)release.ymlverifyhomeserver-poolubuntu-latestrelease.ymlbuild(Linux)homeserver-poolubuntu-latest(keepsrust-cicontainer)release.ymlbuild(Windows)[self-hosted, windows, x64]windows-latestrelease.ymlbuild(macOS)[self-hosted, macos, arm64]macos-14(Apple Silicon)release.ymlpublish-cratehomeserver-poolubuntu-latest(keepsrust-cicontainer)release.ymlreleasehomeserver-poolubuntu-latestghcr.io/twowells/rust-ci:latest, which carries rustup + the pinnedtoolchain + cc/make/git, so nothing is provisioned on the hosted runner.
Package (zip)keepsshell: powershell—windows-latestships Windows PowerShell 5.1 with
Compress-Archivebuilt in (verified cleanswap). Comment reworded to note the 5.1 pin is deliberate.
hosted runner.
provisioning notes that no longer apply.
Build-provenance attestation (
release.yml)attestations: writeto top-levelpermissions.id-token: writewasalready present (crates.io OIDC) and is reused for provenance signing.
releasejob, betweendownload-artifactandaction-gh-release:@v4(current major; latest release v4.1.0, floatingv4tagexists). The globs cover the Linux/macOS
tar.gzand the Windowszip;Lattice ships no
.sha256sidecars, so they match exactly the archives.Verification coverage
ci.yml) triggers on push, so it runs on this branch. Confirmedgreen on a GitHub-hosted runner (see linked run / job log
Image:).release.yml) triggers only onv*tags, so it does notrun on this PR. The
windows-latest+macos-14legs and the newattestation step first execute on the next
v*tag and are thereforeunverified until then. No tag is cut here.
Out of scope
pull_request/ fork-PR trigger (tracked separately).artifact-naming changes.
https://claude.ai/code/session_01U5qTPzFxSPun9VccwbLcCy