Skip to content

ci(actions): route PR checks to self-hosted runner #3986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jolestar merged 18 commits into from
Apr 7, 2026
Merged

ci(actions): route PR checks to self-hosted runner #3986

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
e0798b5
ci(actions): route PR checks to self-hosted runner
jolestar Mar 31, 2026
457c23a
fix(framework): keep old genesis stable for clear fields gas
jolestar Apr 1, 2026
e12159a
Route self-hosted CI to ephemeral runners
jolestar Apr 2, 2026
d478521
Trigger CI after runspawn guest Docker fix
jolestar Apr 3, 2026
a66723b
Trigger CI after clean runspawn rollout
jolestar Apr 3, 2026
dade722
Trigger CI after GitHub direct bypass
jolestar Apr 3, 2026
16fe0e6
Trigger CI after GitHub direct rules
jolestar Apr 3, 2026
afdb9a9
Run cancel workflow on GitHub-hosted runners
jolestar Apr 3, 2026
9b10bf2
Make cancel workflow best-effort
jolestar Apr 3, 2026
7ada632
Disable legacy cancel workflow
jolestar Apr 3, 2026
f5a7f13
Keep cancel workflow on self-hosted as a no-op
jolestar Apr 3, 2026
fcd2275
Add concurrency to CI workflows
jolestar Apr 4, 2026
19b40a3
Harden CI dependency fetching and CodeQL setup
jolestar Apr 4, 2026
f028163
Move lightweight CI workflows off self-hosted runners
jolestar Apr 4, 2026
dc95c13
Keep CI on self-hosted and disable CodeQL for now
jolestar Apr 4, 2026
65d3288
Reuse preinstalled cargo-nextest in CI
jolestar Apr 4, 2026
6a2849d
Move lightweight CI workflows back to GitHub-hosted
jolestar Apr 4, 2026
4e0b9ac
Force GitHub checkout over HTTP/1.1 on self-hosted
jolestar Apr 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 40 additions & 1 deletion .github/actions/rust-setup/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,46 @@
runs:
using: composite
steps:
- run: sudo apt-get update && sudo apt-get install ca-certificates gcc libc6-dev build-essential libsqlite3-dev libprotobuf-dev protobuf-compiler wget cmake make clang g++ libsnappy-dev llvm libclang-dev curl git libpq-dev libssl-dev pkg-config lsof lld --no-install-recommends --assume-yes
- run: |
set -euo pipefail
packages=(
ca-certificates
gcc
libc6-dev
build-essential
libsqlite3-dev
libprotobuf-dev
protobuf-compiler
wget
cmake
make
clang
g++
libsnappy-dev
llvm
libclang-dev
curl
git
libpq-dev
libssl-dev
pkg-config
lsof
lld
)

missing=()
for pkg in "${packages[@]}"; do
if ! dpkg-query -W -f='${Status}' "$pkg" 2>/dev/null | grep -q "install ok installed"; then
missing+=("$pkg")
fi
done

if [ "${#missing[@]}" -gt 0 ]; then
sudo apt-get update
sudo apt-get install --no-install-recommends --assume-yes "${missing[@]}"
else
echo "All required apt packages already installed"
fi
shell: bash

- uses: dtolnay/[email protected]
Expand Down
13 changes: 2 additions & 11 deletions .github/workflows/cancel.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,5 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 3
steps:
- uses: styfle/[email protected]
with:
# get work flow id by https://api.github.com/repos/rooch-network/rooch/actions/workflows
# 57258338: Check-Build-Test (check_build_test.yml)
# 62413072: Build Docker And Deploy Seed (docker_build.yml)
# 207962511: Cross-Platform Build Check (cross_platform_check.yml)
# 207962513: Quick Checks (quick_checks.yml)
# Get IDs from: https://api.github.com/repos/rooch-network/rooch/actions/workflows
workflow_id: 57258338,62413072,207962511,207962513
ignore_sha: true
access_token: ${{ github.token }}
- name: Skip legacy cancel workflow
run: echo "cancel workflow is disabled; concurrency is managed elsewhere"
166 changes: 139 additions & 27 deletions .github/workflows/check_build_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,28 @@ on:
- '**.md'
- 'crates/rooch-anomalies/static/**'

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true

env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
ENV_TEST_ON_CI: 1
CARGO_INCREMENTAL: 0
CARGO_NET_GIT_FETCH_WITH_CLI: true
GIT_CONFIG_COUNT: 2
GIT_CONFIG_KEY_0: http.version
GIT_CONFIG_VALUE_0: HTTP/1.1
GIT_CONFIG_KEY_1: http.maxRequests
GIT_CONFIG_VALUE_1: "2"

jobs:
# Route all Linux self-hosted jobs to the ephemeral VM runner.
# Phase 1: Check changes
check_changes:
name: Check Changes
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These workflows run on pull_request events, and switching to a generic runs-on: self-hosted means untrusted PR code will execute on your self-hosted infrastructure. If this repo accepts PRs from forks/external contributors, consider restricting self-hosted execution (e.g., only when github.event.pull_request.head.repo.fork == false / same-repo PRs) or routing fork PRs to a hardened/ephemeral runner label dedicated to untrusted workloads.

Suggested change
name: Check Changes
name: Check Changes
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
runs-on: [self-hosted, larger-runner, ephemeral-vm]
outputs:
core: ${{ steps.changes.outputs.core }}
sdk_web: ${{ steps.changes.outputs.sdk_web }}
Expand Down Expand Up @@ -64,10 +75,10 @@ jobs:
- 'pnpm-workspace.yaml'
- 'prettier.config.js'

# Phase 2: Build and verify (larger-runner)
# Phase 2: Build and verify on the self-hosted Linux runner
build_and_verify:
name: Build and Verify
runs-on: larger-runner
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: check_changes
if: ${{ needs.check_changes.outputs.core == 'true' || needs.check_changes.outputs.sdk_web == 'true' }}
timeout-minutes: 75
Expand Down Expand Up @@ -113,6 +124,7 @@ jobs:

- name: Upload build artifacts
uses: actions/upload-artifact@v4
continue-on-error: true
with:
name: rooch-binaries
path: |
Expand All @@ -121,11 +133,11 @@ jobs:
target/optci/framework-release
retention-days: 1

# Phase 3: Rust tests (compile and run on ubuntu-latest with cache)
# Phase 3: Rust tests (compile and run on the self-hosted Linux runner with cache)
test_rust_unit:
name: Rust Unit Tests
runs-on: ubuntu-latest
needs: build_and_verify
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 60
steps:
Expand All @@ -148,8 +160,12 @@ jobs:

- name: Install cargo-nextest
run: |
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
if cargo nextest --version >/dev/null 2>&1; then
echo "Using preinstalled cargo-nextest"
else
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
fi
cargo nextest --version

- name: Run Rust unit tests
Expand All @@ -161,8 +177,8 @@ jobs:

test_rust_framework:
name: Rust Framework Tests
runs-on: ubuntu-latest
needs: build_and_verify
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 45
steps:
Expand All @@ -185,8 +201,12 @@ jobs:

- name: Install cargo-nextest
run: |
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
if cargo nextest --version >/dev/null 2>&1; then
echo "Using preinstalled cargo-nextest"
else
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
fi
cargo nextest --version

- name: Run Rust framework tests
Expand All @@ -198,8 +218,8 @@ jobs:

test_rust_bitcoin:
name: Rust Bitcoin Tests
runs-on: ubuntu-latest
needs: build_and_verify
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 30
steps:
Expand All @@ -222,8 +242,12 @@ jobs:

- name: Install cargo-nextest
run: |
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
if cargo nextest --version >/dev/null 2>&1; then
echo "Using preinstalled cargo-nextest"
else
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
fi
cargo nextest --version

- name: Run Rust Bitcoin tests
Expand All @@ -235,8 +259,8 @@ jobs:

test_rust_integration_suite:
name: Rust Integration Suite Tests
runs-on: ubuntu-latest
needs: build_and_verify
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 60
steps:
Expand All @@ -259,8 +283,12 @@ jobs:

- name: Install cargo-nextest
run: |
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
if cargo nextest --version >/dev/null 2>&1; then
echo "Using preinstalled cargo-nextest"
else
echo "Installing cargo-nextest from GitHub releases..."
curl -LsSf https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-0.9.97/cargo-nextest-0.9.97-x86_64-unknown-linux-gnu.tar.gz | tar xz -C ~/.cargo/bin
fi
cargo nextest --version

- name: Run Rust integration suite tests
Expand All @@ -272,8 +300,8 @@ jobs:

lint:
name: Rust Lint
runs-on: larger-runner
needs: build_and_verify
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 45
steps:
Expand All @@ -296,14 +324,14 @@ jobs:

- name: Run Rust Lint
run: |
echo "Running lint on larger-runner (compiles workspace for analysis)..."
echo "Running lint on the self-hosted runner (compiles workspace for analysis)..."
make lint
env:
ROOCH_BINARY_BUILD_PROFILE: optci

test_move_frameworks:
name: Move Framework Tests
runs-on: ubuntu-latest
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 60
Expand All @@ -312,11 +340,39 @@ jobs:
uses: actions/checkout@v4

- name: Download build artifacts
id: download_binaries
uses: actions/download-artifact@v4
continue-on-error: true
with:
name: rooch-binaries
path: target/optci

- name: Check build artifact availability
id: binaries
shell: bash
run: |
if [[ -x target/optci/rooch && -x target/optci/rooch-genesis && -x target/optci/framework-release ]]; then
echo "available=true" >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
echo "Build artifacts unavailable, will rebuild locally."
fi

- name: Setup Rust for local binary rebuild fallback
if: ${{ steps.binaries.outputs.available != 'true' }}
uses: ./.github/actions/rust-setup

- name: Cache Rust dependencies for local binary rebuild fallback
if: ${{ steps.binaries.outputs.available != 'true' }}
uses: Swatinem/rust-cache@v2
with:
shared-key: 'ci'
cache-on-failure: true

- name: Rebuild binaries locally when artifact download is unavailable
if: ${{ steps.binaries.outputs.available != 'true' }}
run: cargo build --profile optci --workspace --bins -j 16

- name: Make binaries executable
run: |
chmod +x target/optci/rooch
Expand All @@ -339,7 +395,7 @@ jobs:

test_move_examples:
name: Move Examples Tests
runs-on: ubuntu-latest
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' }}
timeout-minutes: 60
Expand All @@ -348,11 +404,39 @@ jobs:
uses: actions/checkout@v4

- name: Download build artifacts
id: download_binaries
uses: actions/download-artifact@v4
continue-on-error: true
with:
name: rooch-binaries
path: target/optci

- name: Check build artifact availability
id: binaries
shell: bash
run: |
if [[ -x target/optci/rooch && -x target/optci/rooch-genesis && -x target/optci/framework-release ]]; then
echo "available=true" >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
echo "Build artifacts unavailable, will rebuild locally."
fi

- name: Setup Rust for local binary rebuild fallback
if: ${{ steps.binaries.outputs.available != 'true' }}
uses: ./.github/actions/rust-setup

- name: Cache Rust dependencies for local binary rebuild fallback
if: ${{ steps.binaries.outputs.available != 'true' }}
uses: Swatinem/rust-cache@v2
with:
shared-key: 'ci'
cache-on-failure: true

- name: Rebuild binaries locally when artifact download is unavailable
if: ${{ steps.binaries.outputs.available != 'true' }}
run: cargo build --profile optci --workspace --bins -j 16

- name: Make binaries executable
run: |
chmod +x target/optci/rooch
Expand All @@ -371,7 +455,7 @@ jobs:

test_sdk_web:
name: SDK and Web Tests
runs-on: ubuntu-latest
runs-on: [self-hosted, larger-runner, ephemeral-vm]
needs: [check_changes, build_and_verify]
if: ${{ needs.check_changes.outputs.core == 'true' || needs.check_changes.outputs.sdk_web == 'true' }}
timeout-minutes: 60
Expand All @@ -380,19 +464,47 @@ jobs:
uses: actions/checkout@v4

- name: Download build artifacts
id: download_binaries
uses: actions/download-artifact@v4
continue-on-error: true
with:
name: rooch-binaries
path: target/optci

- name: Check build artifact availability
id: binaries
shell: bash
run: |
if [[ -x target/optci/rooch && -x target/optci/rooch-genesis && -x target/optci/framework-release ]]; then
echo "available=true" >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
echo "Build artifacts unavailable, will rebuild locally."
fi

- name: Setup Rust for local binary rebuild fallback
if: ${{ steps.binaries.outputs.available != 'true' }}
uses: ./.github/actions/rust-setup

- name: Cache Rust dependencies for local binary rebuild fallback
if: ${{ steps.binaries.outputs.available != 'true' }}
uses: Swatinem/rust-cache@v2
with:
shared-key: 'ci'
cache-on-failure: true

- name: Rebuild binaries locally when artifact download is unavailable
if: ${{ steps.binaries.outputs.available != 'true' }}
run: cargo build --profile optci --workspace --bins -j 16

- name: Make binaries executable
run: |
chmod +x target/optci/rooch
chmod +x target/optci/rooch-genesis
chmod +x target/optci/framework-release

- name: Setup Node.js
uses: actions/setup-node@v2
uses: actions/setup-node@v4
with:
node-version: '20.3.1'

Expand Down
Loading
Loading