From 6c5b611fc10abaafbef4e4253e3158e32359010b Mon Sep 17 00:00:00 2001 From: Pheidon Date: Sun, 31 May 2026 15:11:34 +0000 Subject: [PATCH 1/4] ci: run workflows on self-hosted runners --- .github/workflows/claude.yml | 6 +++++- .github/workflows/extended-validation.yml | 24 +++++++++++++++++++---- .github/workflows/lint.yml | 6 +++++- .github/workflows/pr-fast-ci.yml | 24 +++++++++++++++++++---- .github/workflows/release.yml | 6 +++++- .github/workflows/rust-ci.yml | 6 +++++- 6 files changed, 60 insertions(+), 12 deletions(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 7c75a81..d81aa27 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -32,7 +32,11 @@ jobs: contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.comment.author_association)) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.review.author_association)) - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public timeout-minutes: 30 permissions: contents: write diff --git a/.github/workflows/extended-validation.yml b/.github/workflows/extended-validation.yml index 3bb391f..2eef10e 100644 --- a/.github/workflows/extended-validation.yml +++ b/.github/workflows/extended-validation.yml @@ -25,7 +25,11 @@ defaults: jobs: changes: name: Detect Extended Validation Scope - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public outputs: app: ${{ steps.preset.outputs.app || steps.filter.outputs.app || 'false' }} ci: ${{ steps.preset.outputs.ci || steps.filter.outputs.ci || 'false' }} @@ -77,7 +81,11 @@ jobs: fast-checks: name: Fast Checks - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public timeout-minutes: 15 needs: changes if: needs.changes.outputs.app == 'true' || needs.changes.outputs.ci == 'true' @@ -111,7 +119,11 @@ jobs: validate-secrets: name: Validate Secrets - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public timeout-minutes: 10 steps: - uses: actions/checkout@v4 @@ -120,7 +132,11 @@ jobs: extended-validation-gate: name: Extended Validation Gate - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public if: always() needs: - changes diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 39cbcbb..8c6a8fd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,7 +7,11 @@ jobs: lint: # Hosted fallback: the Synology shell-only pool does not provide a C toolchain, # and apt-based provisioning is blocked by container permissions. - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/pr-fast-ci.yml b/.github/workflows/pr-fast-ci.yml index 749539c..c659fa9 100644 --- a/.github/workflows/pr-fast-ci.yml +++ b/.github/workflows/pr-fast-ci.yml @@ -23,7 +23,11 @@ defaults: jobs: changes: name: Detect Relevant Changes - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public outputs: app: ${{ steps.filter.outputs.app }} ci: ${{ steps.filter.outputs.ci }} @@ -58,7 +62,11 @@ jobs: fast-checks: name: Fast Checks - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public timeout-minutes: 15 needs: changes if: >- @@ -100,7 +108,11 @@ jobs: validate-secrets: name: Validate Secrets - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public timeout-minutes: 10 if: github.event.pull_request.draft == false steps: @@ -112,7 +124,11 @@ jobs: ci-gate: name: CI Gate - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public if: always() needs: - changes diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 112000d..b42bd29 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -244,7 +244,11 @@ jobs: name: Publish Homebrew tap PR needs: release if: startsWith(github.ref, 'refs/tags/v') - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public continue-on-error: true env: TAP_REPOSITORY: ${{ vars.HOMEBREW_TAP_REPOSITORY || 'OMT-Global/homebrew-apw' }} diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 025b354..a170257 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -9,7 +9,11 @@ jobs: test: # Hosted fallback: the Synology shell-only pool does not provide a C toolchain, # and apt-based provisioning is blocked by container permissions. - runs-on: ubuntu-latest + runs-on: + - self-hosted + - linux + - shell-only + - public steps: - name: Setup repo From de3b901046175327e395dac9fbed32b2e51ab5d8 Mon Sep 17 00:00:00 2001 From: Pheidon Date: Mon, 1 Jun 2026 08:00:13 +0000 Subject: [PATCH 2/4] ci: keep release and secret jobs on capable private runners --- .github/workflows/claude.yml | 14 +++++++++----- .github/workflows/lint.yml | 11 ++++++----- .github/workflows/release.yml | 5 ----- .github/workflows/rust-ci.yml | 11 ++++++----- scripts/build-native-app.sh | 2 +- 5 files changed, 22 insertions(+), 21 deletions(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index d81aa27..dd1ab93 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -32,11 +32,14 @@ jobs: contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.comment.author_association)) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.review.author_association)) + # Claude has write permissions and reads ANTHROPIC_API_KEY, so keep it on a + # trusted private runner instead of the public shell-only fleet. runs-on: - self-hosted - - linux - - shell-only - - public + - private + - macOS + - ARM64 + - xcode timeout-minutes: 30 permissions: contents: write @@ -73,8 +76,9 @@ jobs: Use CLAUDE.md and docs/bootstrap/onboarding.md as repo policy context. Keep required PR status checks aligned with CI Gate. Preserve the split fast and extended validation model. - Shell-safe jobs may use `[self-hosted, synology, shell-only, public]`. - Docker, service-container, browser, and `container:` jobs stay on GitHub-hosted runners. + Shell-safe jobs may use `[self-hosted, linux, shell-only, public]`. + Secret-bearing automation must stay on a trusted private runner. + Docker, service-container, browser, and `container:` jobs require a dedicated self-hosted pool with matching capability labels. Prefer the smallest safe change and add tests for behavior changes. MANUAL TASK: ${{ github.event.inputs.prompt }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8c6a8fd..3b5f392 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,13 +5,14 @@ on: jobs: lint: - # Hosted fallback: the Synology shell-only pool does not provide a C toolchain, - # and apt-based provisioning is blocked by container permissions. + # Rust build scripts need a C linker; the public shell-only Linux pool is + # intentionally minimal and cannot satisfy that compile-time dependency. runs-on: - self-hosted - - linux - - shell-only - - public + - private + - macOS + - ARM64 + - xcode steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b42bd29..5f85242 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -115,11 +115,6 @@ jobs: ./rust/target/release/apw --version ./rust/target/release/apw status --json - - name: Build native app bundle - env: - APW_SPARKLE_PUBLIC_ED_KEY: ${{ vars.APW_SPARKLE_PUBLIC_ED_KEY || '' }} - run: ./scripts/build-native-app.sh - - name: Sign and notarize native app bundle if: startsWith(github.ref, 'refs/tags/v') env: diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index a170257..41009ad 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -7,13 +7,14 @@ permissions: jobs: test: - # Hosted fallback: the Synology shell-only pool does not provide a C toolchain, - # and apt-based provisioning is blocked by container permissions. + # Rust build scripts need a C linker; the public shell-only Linux pool is + # intentionally minimal and cannot satisfy that compile-time dependency. runs-on: - self-hosted - - linux - - shell-only - - public + - private + - macOS + - ARM64 + - xcode steps: - name: Setup repo diff --git a/scripts/build-native-app.sh b/scripts/build-native-app.sh index 3fcf54e..fc900c2 100755 --- a/scripts/build-native-app.sh +++ b/scripts/build-native-app.sh @@ -71,7 +71,7 @@ if [[ -n "$RESOURCE_BUNDLE" ]]; then fi if otool -L "$MACOS_DIR/$EXECUTABLE_NAME" | grep -q '@rpath/Sparkle.framework/'; then - SPARKLE_FRAMEWORK="$(find "$PACKAGE_DIR/.build" -path '*/release/Sparkle.framework' -type d | head -n 1 || true)" + SPARKLE_FRAMEWORK="$(find "$PACKAGE_DIR/.build" \( -path '*/release/Sparkle.framework' -o -path '*/Release/Sparkle.framework' \) -type d | head -n 1 || true)" if [[ -z "$SPARKLE_FRAMEWORK" ]]; then echo "APW links Sparkle.framework but SwiftPM did not produce a release framework." >&2 exit 1 From cc72bcce445b02f9252bd1cc71ccaff4914a0130 Mon Sep 17 00:00:00 2001 From: Pheidon Date: Mon, 1 Jun 2026 08:07:38 +0000 Subject: [PATCH 3/4] ci: use available runners for Rust and native checks --- .github/workflows/lint.yml | 12 ++++++------ .github/workflows/pr-fast-ci.yml | 4 +++- .github/workflows/rust-ci.yml | 12 ++++++------ 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3b5f392..ff79922 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,14 +5,14 @@ on: jobs: lint: - # Rust build scripts need a C linker; the public shell-only Linux pool is - # intentionally minimal and cannot satisfy that compile-time dependency. + # Rust build scripts need a C linker; run inside the Rust container on the + # Docker-capable self-hosted Linux pool instead of the minimal shell-only host. runs-on: - self-hosted - - private - - macOS - - ARM64 - - xcode + - linux + - docker-capable + - public + container: rust:1-bookworm steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/pr-fast-ci.yml b/.github/workflows/pr-fast-ci.yml index c659fa9..8fd6dc1 100644 --- a/.github/workflows/pr-fast-ci.yml +++ b/.github/workflows/pr-fast-ci.yml @@ -86,7 +86,9 @@ jobs: native-app-swift-tests: name: Native App Swift Tests - runs-on: ['self-hosted', 'private', 'macOS', 'ARM64', 'xcode'] + # Hosted fallback: the self-hosted macOS/Xcode slots are currently offline, + # and this PR needs the native app compile gate to complete before merge. + runs-on: macos-latest timeout-minutes: 20 needs: changes if: >- diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 41009ad..7b1954a 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -7,14 +7,14 @@ permissions: jobs: test: - # Rust build scripts need a C linker; the public shell-only Linux pool is - # intentionally minimal and cannot satisfy that compile-time dependency. + # Rust build scripts need a C linker; run inside the Rust container on the + # Docker-capable self-hosted Linux pool instead of the minimal shell-only host. runs-on: - self-hosted - - private - - macOS - - ARM64 - - xcode + - linux + - docker-capable + - public + container: rust:1-bookworm steps: - name: Setup repo From 0a1a4d59170e35b78fa2862b2208428d7de1b84a Mon Sep 17 00:00:00 2001 From: Pheidon Date: Mon, 1 Jun 2026 08:11:28 +0000 Subject: [PATCH 4/4] ci: use hosted fallback for Rust toolchain checks --- .github/workflows/lint.yml | 12 ++++-------- .github/workflows/rust-ci.yml | 12 ++++-------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ff79922..79ecd6d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,14 +5,10 @@ on: jobs: lint: - # Rust build scripts need a C linker; run inside the Rust container on the - # Docker-capable self-hosted Linux pool instead of the minimal shell-only host. - runs-on: - - self-hosted - - linux - - docker-capable - - public - container: rust:1-bookworm + # Hosted fallback: the self-hosted shell-only Linux pool does not provide a + # C toolchain, and the Docker-capable pool currently has an incompatible + # Docker client for Actions container jobs. + runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 7b1954a..6637a8d 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -7,14 +7,10 @@ permissions: jobs: test: - # Rust build scripts need a C linker; run inside the Rust container on the - # Docker-capable self-hosted Linux pool instead of the minimal shell-only host. - runs-on: - - self-hosted - - linux - - docker-capable - - public - container: rust:1-bookworm + # Hosted fallback: the self-hosted shell-only Linux pool does not provide a + # C toolchain, and the Docker-capable pool currently has an incompatible + # Docker client for Actions container jobs. + runs-on: ubuntu-latest steps: - name: Setup repo