ci: migrate CI and release workflows to Blacksmith runners#5300
Merged
Conversation
First step of the Blacksmith rollout from CLI-1497. Every job that runs .github/actions/setup pays 30-45s for the bun install + pnpm install chain; the Blacksmith variants back the bun toolchain cache and pnpm store with sticky-disk reads, so warm runs should drop to ~5-10s across every job. useblacksmith/cache@v5 and useblacksmith/setup-node@v5 fall back to the upstream actions on non-Blacksmith runners, so the macOS and Windows smoke-test legs that consume this composite are unaffected. Refs CLI-1498.
jgoux
approved these changes
May 19, 2026
Step 2 of the Blacksmith rollout from CLI-1497. Swaps runs-on from ubuntu-latest (GitHub-hosted 4 vCPU / 16 GB) to blacksmith-8vcpu-ubuntu-2404 on the four CPU-bound jobs that gate every PR: - test.yml::check - test.yml::test-core - test.yml::test-e2e (3 shards) - cli-go-ci.yml::test Combined with the sticky-disk setup action from the previous commit, the plan estimates PR wall-clock roughly halves (~7m -> ~3-4m). test-e2e-summary, coverage, lint, start, link, and codegen stay on ubuntu-latest -- they're short, not CPU-bound, and outside this PR's scope. Refs CLI-1499.
Step 3 of the Blacksmith rollout from CLI-1497. The build job is the longest serial step on the release critical path (~6m47s on large-linux-x86), driving 8x bun --compile plus 6x go build. Moving it to a 32 vCPU Blacksmith runner should shave 1.5-2 minutes; the sticky-disk node_modules and go-build caches from the previous steps compound on top. Supersedes the org-provisioned large-linux-x86 swap -- per the parent plan, that label was the only remaining holdout once everything else migrates to Blacksmith. Refs CLI-1500.
Step 4 of the Blacksmith rollout from CLI-1497. Replaces ubuntu-latest with blacksmith-8vcpu-ubuntu-2404 in the smoke-test matrix. The Linux leg pulls 6 images x 2 platforms via docker; Blacksmith runners ship a local registry mirror that makes those pulls near-instant, so we rely on it instead of any explicit pre-pull/cache machinery. The QEMU setup stays -- arm64 docker subtests still execute via emulation. A future PR can split the leg into native amd64 + arm64 Blacksmith runners (per the parent plan's PR7). The macOS and Windows entries are unchanged; Blacksmith is Linux-only. Refs CLI-1501.
Extends the smoke-test matrix migration:
- macos-latest -> blacksmith-6vcpu-macos-latest (drop-in,
both Apple Silicon ARM64)
- windows-latest -> blacksmith-8vcpu-windows-2025 (Public
Beta; bumps OS from Server 2022 to Server 2025). The Windows
smoke test (apps/cli/tests/smoke-test-windows.ts) does not use
Docker or WSL, so Blacksmith's "no Linux containers on Windows"
caveat does not apply here.
macos-15-intel stays on GitHub-hosted -- Blacksmith macOS is ARM-only,
so the gating leg of the release pipeline cannot move yet.
Refs CLI-1501.
The macos-15-intel runner is the only smoke-test leg that cannot move to Blacksmith (no Intel macOS option) and is the wall-clock floor of every release. Beta releases trade Intel coverage for speed: stable promotion to main still runs the full matrix and catches Intel-only regressions before npm publish. PR smoke (smoke-test-pr.yml passes prerelease: true) is also skipped under this rule, accepting the trade-off that Intel-only issues will surface at stable promotion rather than at PR time. Refs CLI-1497.
Step 5 of the Blacksmith rollout from CLI-1497. setup-go -> useblacksmith/setup-go@v5: $GOCACHE moves to a sticky disk, so cgo + race-instrumented test binaries don't fully rebuild on every run. Swapped in every cli-go-ci.yml job (test, lint, start, link, codegen) plus release-shared.yml::build and test.yml's check / test-core / test-e2e. checkout -> useblacksmith/checkout@v1 only on jobs that need fetch-depth: 0 (semantic-release plan, fast-forward, and nx-affected in test-e2e). Default depth-1 checkouts are left on actions/checkout@v6 because the incremental fetch win there is negligible. Refs CLI-1502.
Match the action-hardening policy (d2ddf9f) by replacing the floating @v5 / @v1 refs introduced in earlier rollout commits with full 40-char commit SHAs and a trailing "# v<N>" comment, matching the format already used for actions/checkout, actions/setup-node, actions/setup-go, oven-sh/setup-bun, etc. Resolved tag SHAs (via git ls-remote, 2026-05-19): useblacksmith/cache v5 -> 71c7c918062ba3861252d84b07fe5ab2a6b467a6 useblacksmith/setup-node v5 -> 65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 useblacksmith/setup-go v5 -> f12a3dabb4171193018e496855e47349b360c056 useblacksmith/checkout v1 -> 41cdeedae8edb2e684ba22896a5fd2a3cb85db6b Dependabot (github-actions ecosystem) already groups major bumps in .github/dependabot.yml, so these will get automated updates the same way the upstream actions do.
The useblacksmith/cache, useblacksmith/setup-node, useblacksmith/setup-go forks are now archived. Blacksmith's colocated cache is applied at the runner level (network/DNS interception of cache API calls), so upstream actions/cache@v5, actions/setup-node@v6 and actions/setup-go@v6 hit the same 4x backend transparently — with continued security patches and upstream improvements. Revert prior swaps (PR1 19c4534, PR5 9b05731/3dad0ae) to SHA-pinned upstream actions, bump test.yml's residual actions/cache@v4 to v5, and migrate previously-skipped low-frequency Linux jobs (api-sync, mirror, codeql, release publish/homebrew/scoop) to Blacksmith runners for consistency. useblacksmith/checkout is unchanged — it's a separate sticky-disk product, not part of the deprecated cache-fork family.
avallete
changed the title
avallete
added a commit
that referenced
this pull request
May 20, 2026
…5312) The release workflow's `publish` job was migrated to a Blacksmith runner in #5300, which broke npm publish: ``` npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/@supabase%2fcli-darwin-arm64 - Error verifying sigstore provenance bundle: Unsupported GitHub Actions runner environment: "self-hosted". Only "github-hosted" runners are supported when publishing with provenance. ``` `publish.ts` passes `--provenance` to `pnpm publish`, which has sigstore attest the build against the runner's OIDC identity. Blacksmith runners present as `self-hosted` to sigstore, so npm rejects the upload with E422. Move only the `publish` job back to `ubuntu-latest`. `build` and `smoke-test` stay on Blacksmith; `publish-homebrew` and `publish-scoop` don't go through npm/sigstore (they push to the tap/bucket repos via git) and also stay on Blacksmith. The publish job is short and not compute-bound, so the wall-clock cost of github-hosted is negligible. Failed run that motivated this: https://github.com/supabase/cli/actions/runs/26153946606 --- _Generated by [Claude Code](https://claude.ai/code/session_01RDNmHeyREpf3ZBQLggK75q)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Moves the CI and release pipelines onto Blacksmith runners and threads Blacksmith's caching layers through the workflows that benefit from them.
Runner moves:
test.yml(check,test-core,test-e2e) →blacksmith-8vcpu-ubuntu-2404.cli-go-ci.yml::test(Go unit/integration) →blacksmith-8vcpu-ubuntu-2404.build(heavy multi-target Bun compile) →blacksmith-32vcpu-ubuntu-2404.smoke-testmatrix: Linux →blacksmith-8vcpu-ubuntu-2404, macOS →blacksmith-6vcpu-macos-latest, Windows →blacksmith-8vcpu-windows-2025.macos-15-intelstays on GitHub-hosted (Blacksmith macOS is ARM-only) and is skipped on prereleases so beta wall-clock isn't gated by the slowest leg — stable releases onmainstill run it.publish/publish-homebrew/publish-scoop→blacksmith-2vcpu-ubuntu-2404.cli-go-api-sync,cli-go-mirror,cli-go-codeqlnon-Swift legs) → matching Blacksmith sizes for consistency.Caching:
useblacksmith/checkout@v1ontest-e2eto exploit Blacksmith's sticky-disk git mirror withfetch-depth: 0(the cli-e2e shards need full history fornx affected).actions/cache@v5,actions/setup-node@v6,actions/setup-go@v6— all SHA-pinned — for cache + toolchain setup. Initially this PR swapped to theuseblacksmith/cache,useblacksmith/setup-node,useblacksmith/setup-goforks; partway through, those forks were archived in favor of Blacksmith's runner-level interception, which transparently routes upstream cache API calls to the same colocated backend. The final commit reverts to upstream and bumps the residualactions/cache@v4intest.ymlto@v5so every cache step gets the new acceleration with continued upstream security patches.All third-party action pins use full commit SHAs with trailing
# v<N>comments.Why
The CI wall-clock on this repo had grown into the territory where it visibly slowed merges (test.yml routinely ~20+ min, release build ~30+ min). Blacksmith's larger runners + colocated cache cut both materially, and the
test-e2echeckout in particular benefits from the sticky-disk git mirror becausefetch-depth: 0was the dominant fixed cost in that job.The upstream-vs-fork pivot matters for hygiene: the archived
useblacksmith/*cache forks still execute when SHA-pinned, but get no future security patches and miss out on Blacksmith's newer transparent acceleration. Going through upstream actions gives us both — Blacksmith routing and normal upstream maintenance — at no behavioral cost.Scope deliberately excluded
cli-go-pg-prove.yml/cli-go-publish-migra.ymlDocker builds: separate follow-up, requires migrating touseblacksmith/setup-docker-builder@v1+useblacksmith/build-push-action@v2and droppingcache-from: type=gha(the GHA cache backend is not transparently routed by Blacksmith). Tracked, not in this PR.test.yml's explicit Go-binary cache step now that$GOCACHEis colocated: deferred until warm-cache rebuild time can be measured on Blacksmith.https://claude.ai/code/session_01KgHCbVTurxo4K9KivytQbt