From 72325bdcd081b87a99c6448fd8cc68828c5dc823 Mon Sep 17 00:00:00 2001 From: Julien Goux Date: Thu, 11 Jun 2026 14:55:14 +0200 Subject: [PATCH 1/4] ci: replace artifact handoffs with cache --- .github/actionlint.yaml | 2 + .github/workflows/build-cli-artifacts.yml | 19 ++++++-- .github/workflows/cli-go-ci.yml | 26 ++++++++--- .github/workflows/cli-go-codeql.yml | 2 - .github/workflows/cli-go-mirror.yml | 2 - .github/workflows/cli-go-pg-prove.yml | 2 - .github/workflows/cli-go-publish-migra.yml | 2 - .github/workflows/cli-go-tag-pkg.yml | 2 - .../publish-preview-cli-packages.yml | 11 +++-- .github/workflows/release-shared.yml | 44 ++++++++++++++----- 10 files changed, 78 insertions(+), 34 deletions(-) diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index e9c0d32e94..f48de6450b 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -1,5 +1,7 @@ self-hosted-runner: labels: + - arm-runner + - blacksmith-2vcpu-ubuntu-2404 - blacksmith-32vcpu-ubuntu-2404 - blacksmith-8vcpu-ubuntu-2404 - blacksmith-6vcpu-macos-latest diff --git a/.github/workflows/build-cli-artifacts.yml b/.github/workflows/build-cli-artifacts.yml index a9f7365337..3510e3a5be 100644 --- a/.github/workflows/build-cli-artifacts.yml +++ b/.github/workflows/build-cli-artifacts.yml @@ -79,10 +79,23 @@ jobs: echo "Checking dist/..." ls -la dist/ - - name: Upload build artifacts - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + - name: Check existing build artifacts cache + id: build-artifacts-cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: cli-build-${{ inputs.shell }}-${{ inputs.version }} path: | packages/cli-*/bin/ dist/ + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + enableCrossOsArchive: true + lookup-only: true + + - name: Save build artifacts cache + if: steps.build-artifacts-cache.outputs.cache-hit != 'true' + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: | + packages/cli-*/bin/ + dist/ + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + enableCrossOsArchive: true diff --git a/.github/workflows/cli-go-ci.yml b/.github/workflows/cli-go-ci.yml index 80e637428c..b4bda99eff 100644 --- a/.github/workflows/cli-go-ci.yml +++ b/.github/workflows/cli-go-ci.yml @@ -5,8 +5,6 @@ on: paths: - apps/cli-go/** merge_group: - paths: - - apps/cli-go/** push: branches: - develop @@ -37,10 +35,20 @@ jobs: go tool gotestsum -- -race -v -count=1 ./... \ -coverpkg="./cmd/...,./internal/...,${pkgs}" -coverprofile=coverage.out - - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + - name: Check existing coverage cache + id: coverage-cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: apps/cli-go/coverage.out + key: cli-go-coverage-${{ github.run_id }}-v1 + lookup-only: true + + - name: Save coverage cache + if: steps.coverage-cache.outputs.cache-hit != 'true' + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: code-coverage-report path: apps/cli-go/coverage.out + key: cli-go-coverage-${{ github.run_id }}-v1 coverage: name: Coverage @@ -48,9 +56,15 @@ jobs: - test runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + - name: Restore coverage cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: code-coverage-report + path: apps/cli-go/coverage.out + key: cli-go-coverage-${{ github.run_id }}-v1 + fail-on-cache-miss: true + - name: Move coverage report + run: cp apps/cli-go/coverage.out coverage.out + working-directory: . - uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 with: file: coverage.out diff --git a/.github/workflows/cli-go-codeql.yml b/.github/workflows/cli-go-codeql.yml index 44249cbe78..ea1dd99bb3 100644 --- a/.github/workflows/cli-go-codeql.yml +++ b/.github/workflows/cli-go-codeql.yml @@ -16,8 +16,6 @@ on: paths: - apps/cli-go/** merge_group: - paths: - - apps/cli-go/** push: branches: - develop diff --git a/.github/workflows/cli-go-mirror.yml b/.github/workflows/cli-go-mirror.yml index 1297dc8f5f..ec8856ff29 100644 --- a/.github/workflows/cli-go-mirror.yml +++ b/.github/workflows/cli-go-mirror.yml @@ -15,8 +15,6 @@ on: # # TODO: Make the cli start test run *after* we mirror images (if needed). workflow_dispatch: - paths: - - apps/cli-go/** permissions: contents: read diff --git a/.github/workflows/cli-go-pg-prove.yml b/.github/workflows/cli-go-pg-prove.yml index d94a47448f..14202acc5c 100644 --- a/.github/workflows/cli-go-pg-prove.yml +++ b/.github/workflows/cli-go-pg-prove.yml @@ -2,8 +2,6 @@ name: Publish pg_prove on: workflow_dispatch: - paths: - - apps/cli-go/** permissions: contents: read diff --git a/.github/workflows/cli-go-publish-migra.yml b/.github/workflows/cli-go-publish-migra.yml index 37f5ca2ad5..5220a0562d 100644 --- a/.github/workflows/cli-go-publish-migra.yml +++ b/.github/workflows/cli-go-publish-migra.yml @@ -2,8 +2,6 @@ name: Publish migra on: workflow_dispatch: - paths: - - apps/cli-go/** permissions: contents: read diff --git a/.github/workflows/cli-go-tag-pkg.yml b/.github/workflows/cli-go-tag-pkg.yml index 56cf474aea..a84c3fe721 100644 --- a/.github/workflows/cli-go-tag-pkg.yml +++ b/.github/workflows/cli-go-tag-pkg.yml @@ -7,8 +7,6 @@ on: description: "pkg version to tag (e.g. v1.2.2)" required: true type: string - paths: - - apps/cli-go/** permissions: contents: write diff --git a/.github/workflows/publish-preview-cli-packages.yml b/.github/workflows/publish-preview-cli-packages.yml index ca819a2c63..b88d7b06d7 100644 --- a/.github/workflows/publish-preview-cli-packages.yml +++ b/.github/workflows/publish-preview-cli-packages.yml @@ -51,10 +51,15 @@ jobs: - name: Setup uses: ./.github/actions/setup - - name: Download preview build artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + - name: Restore preview build artifacts cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: cli-build-legacy-${{ env.PREVIEW_VERSION }} + path: | + packages/cli-*/bin/ + dist/ + key: cli-build-${{ github.run_id }}-legacy-${{ env.PREVIEW_VERSION }}-v1 + enableCrossOsArchive: true + fail-on-cache-miss: true - name: Prepare package files run: | diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml index fc412e17eb..3804eaa0ec 100644 --- a/.github/workflows/release-shared.yml +++ b/.github/workflows/release-shared.yml @@ -89,10 +89,15 @@ jobs: - name: Setup uses: ./.github/actions/setup - - name: Download build artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + - name: Restore build artifacts cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: cli-build-${{ inputs.shell }}-${{ inputs.version }} + path: | + packages/cli-*/bin/ + dist/ + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + enableCrossOsArchive: true + fail-on-cache-miss: true # Docker's classic image store keeps a single platform manifest per # tag, so pulling `alpine:3.21` for amd64 and again for arm64 leaves @@ -206,10 +211,15 @@ jobs: - name: Setup uses: ./.github/actions/setup - - name: Download build artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + - name: Restore build artifacts cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: cli-build-${{ inputs.shell }}-${{ inputs.version }} + path: | + packages/cli-*/bin/ + dist/ + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + enableCrossOsArchive: true + fail-on-cache-miss: true - name: Sync versions run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}" @@ -357,10 +367,15 @@ jobs: - name: Setup uses: ./.github/actions/setup - - name: Download build artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + - name: Restore build artifacts cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: cli-build-${{ inputs.shell }}-${{ inputs.version }} + path: | + packages/cli-*/bin/ + dist/ + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + enableCrossOsArchive: true + fail-on-cache-miss: true - name: Generate Homebrew tap token id: app-token @@ -404,10 +419,15 @@ jobs: - name: Setup uses: ./.github/actions/setup - - name: Download build artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + - name: Restore build artifacts cache + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: - name: cli-build-${{ inputs.shell }}-${{ inputs.version }} + path: | + packages/cli-*/bin/ + dist/ + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + enableCrossOsArchive: true + fail-on-cache-miss: true - name: Generate Scoop bucket token id: app-token From 81127c8fac306543033074dff78deab864a04b5a Mon Sep 17 00:00:00 2001 From: Julien Goux Date: Mon, 15 Jun 2026 10:08:16 +0200 Subject: [PATCH 2/4] ci: keep cache handoffs on same backend --- .github/workflows/build-cli-artifacts.yml | 7 ++++++- .github/workflows/cli-go-ci.yml | 2 +- .../publish-preview-cli-packages.yml | 2 +- .github/workflows/release-shared.yml | 20 ++++++++++++++++--- 4 files changed, 25 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-cli-artifacts.yml b/.github/workflows/build-cli-artifacts.yml index 3510e3a5be..6c0890f1f4 100644 --- a/.github/workflows/build-cli-artifacts.yml +++ b/.github/workflows/build-cli-artifacts.yml @@ -16,6 +16,11 @@ on: required: false type: string default: "" + runner: + description: Runner to use for building artifacts + required: false + type: string + default: blacksmith-32vcpu-ubuntu-2404 secrets: SENTRY_DSN: required: false @@ -30,7 +35,7 @@ permissions: jobs: build: name: Build CLI artifacts - runs-on: blacksmith-32vcpu-ubuntu-2404 + runs-on: ${{ inputs.runner }} env: BUN_SHELL: ${{ inputs.shell }} VERSION: ${{ inputs.version }} diff --git a/.github/workflows/cli-go-ci.yml b/.github/workflows/cli-go-ci.yml index b4bda99eff..b73ca8713c 100644 --- a/.github/workflows/cli-go-ci.yml +++ b/.github/workflows/cli-go-ci.yml @@ -54,7 +54,7 @@ jobs: name: Coverage needs: - test - runs-on: ubuntu-latest + runs-on: blacksmith-8vcpu-ubuntu-2404 steps: - name: Restore coverage cache uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 diff --git a/.github/workflows/publish-preview-cli-packages.yml b/.github/workflows/publish-preview-cli-packages.yml index b88d7b06d7..87141b54bf 100644 --- a/.github/workflows/publish-preview-cli-packages.yml +++ b/.github/workflows/publish-preview-cli-packages.yml @@ -38,7 +38,7 @@ jobs: github.event.pull_request.draft == false && needs.build.result == 'success' name: Publish preview package - runs-on: ubuntu-latest + runs-on: blacksmith-8vcpu-ubuntu-2404 env: PREVIEW_VERSION: 0.0.0-pr.${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml index 3804eaa0ec..fc628919b2 100644 --- a/.github/workflows/release-shared.yml +++ b/.github/workflows/release-shared.yml @@ -54,8 +54,8 @@ on: ANTHROPIC_API_KEY: required: false jobs: - build: - name: Build CLI artifacts + build-blacksmith: + name: Build CLI artifacts (Blacksmith) uses: ./.github/workflows/build-cli-artifacts.yml with: version: ${{ inputs.version }} @@ -65,8 +65,22 @@ jobs: POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }} POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }} + build-github: + name: Build CLI artifacts (GitHub hosted) + uses: ./.github/workflows/build-cli-artifacts.yml + with: + version: ${{ inputs.version }} + shell: ${{ inputs.shell }} + runner: ubuntu-latest + secrets: + SENTRY_DSN: ${{ secrets.SENTRY_DSN }} + POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }} + POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }} + smoke-test: - needs: build + needs: + - build-blacksmith + - build-github strategy: fail-fast: false matrix: From e799f20a588249e17e858325a67aefcc12cbe4cf Mon Sep 17 00:00:00 2001 From: Julien Goux Date: Mon, 15 Jun 2026 10:45:47 +0200 Subject: [PATCH 3/4] ci: shorten release cache critical path --- .github/workflows/release-shared.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml index fc628919b2..a34ac2bc3a 100644 --- a/.github/workflows/release-shared.yml +++ b/.github/workflows/release-shared.yml @@ -67,6 +67,7 @@ jobs: build-github: name: Build CLI artifacts (GitHub hosted) + if: ${{ !inputs.dry_run }} uses: ./.github/workflows/build-cli-artifacts.yml with: version: ${{ inputs.version }} @@ -80,16 +81,13 @@ jobs: smoke-test: needs: - build-blacksmith - - build-github strategy: fail-fast: false matrix: runner: - blacksmith-8vcpu-ubuntu-2404 - blacksmith-6vcpu-macos-latest - - macos-15-intel - blacksmith-8vcpu-windows-2025 - - windows-11-arm runs-on: ${{ matrix.runner }} env: NPM_TAG: ${{ inputs.npm_tag }} @@ -191,7 +189,9 @@ jobs: working-directory: apps/cli publish: - needs: smoke-test + needs: + - build-github + - smoke-test if: ${{ !inputs.dry_run }} # npm provenance verification rejects non-GitHub-hosted runners with # E422 ("Unsupported GitHub Actions runner environment: self-hosted"). @@ -368,7 +368,7 @@ jobs: publish-homebrew: needs: publish if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }} - runs-on: ubuntu-latest + runs-on: blacksmith-8vcpu-ubuntu-2404 env: BREW_NAME: ${{ inputs.brew_name }} VERSION: ${{ inputs.version }} @@ -420,7 +420,7 @@ jobs: publish-scoop: needs: publish if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }} - runs-on: ubuntu-latest + runs-on: blacksmith-8vcpu-ubuntu-2404 env: SCOOP_NAME: ${{ inputs.scoop_name }} VERSION: ${{ inputs.version }} From 1a45e169089869ed72bd8d9354ff4512c7881da1 Mon Sep 17 00:00:00 2001 From: Julien Goux Date: Mon, 15 Jun 2026 11:08:29 +0200 Subject: [PATCH 4/4] ci: isolate GitHub-hosted release cache --- .github/workflows/build-cli-artifacts.yml | 9 +++++++-- .github/workflows/release-shared.yml | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-cli-artifacts.yml b/.github/workflows/build-cli-artifacts.yml index 6c0890f1f4..9a57a73343 100644 --- a/.github/workflows/build-cli-artifacts.yml +++ b/.github/workflows/build-cli-artifacts.yml @@ -21,6 +21,11 @@ on: required: false type: string default: blacksmith-32vcpu-ubuntu-2404 + cache_key_suffix: + description: Suffix to distinguish build artifact cache producers + required: false + type: string + default: "" secrets: SENTRY_DSN: required: false @@ -91,7 +96,7 @@ jobs: path: | packages/cli-*/bin/ dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1 enableCrossOsArchive: true lookup-only: true @@ -102,5 +107,5 @@ jobs: path: | packages/cli-*/bin/ dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1 enableCrossOsArchive: true diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml index a34ac2bc3a..751b8d4cbe 100644 --- a/.github/workflows/release-shared.yml +++ b/.github/workflows/release-shared.yml @@ -73,6 +73,7 @@ jobs: version: ${{ inputs.version }} shell: ${{ inputs.shell }} runner: ubuntu-latest + cache_key_suffix: -github secrets: SENTRY_DSN: ${{ secrets.SENTRY_DSN }} POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }} @@ -231,7 +232,7 @@ jobs: path: | packages/cli-*/bin/ dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 + key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1 enableCrossOsArchive: true fail-on-cache-miss: true