ci: migrate workflows to namespace runners

[jdx]

Summary

• move Linux and macOS CI, docs, release automation, benchmark refresh, packaging, and publish jobs to Namespace runner profiles
• keep Windows jobs on GitHub-hosted runners where no Namespace Windows profile is configured
• replace Rust cache usage on Namespace jobs with namespacelabs/nscloud-cache-action and add actionlint runner-label config
• preserve existing matrix.os values while adding matrix.runner so artifact names and OS conditionals keep working

Notes

• mirrors the runner split used in ci: migrate to namespace.so runners jdx/hk#891: namespace-profile-endev-linux-amd64, namespace-profile-endev-macos-arm64, and GitHub-hosted Windows
• drops the GitHub Actions cache restore from bench-refresh; the Namespace runner profile provides the cache volume

Validation

• MISE_LOCKED=1 mise x actionlint@latest -- actionlint
• git diff --check

This PR was generated by Codex.

---

Note

Medium Risk
Touches many release/CI workflows and runner environments, so misconfigured runners/caching could break builds, releases, or publish automation despite minimal application-code impact.

Overview
Migrates CI, release automation, docs, benchmarking, and publish workflows from ubuntu-latest/macos-latest GitHub-hosted runners to Namespace runner profiles (e.g. namespace-profile-endev-linux-amd64, namespace-profile-endev-macos-arm64), while explicitly keeping Windows jobs and BATS/jail-sensitive test jobs on GitHub-hosted runners.

Replaces Swatinem/rust-cache usage on the migrated jobs with namespacelabs/nscloud-cache-action (Rust cache) and updates matrices to add a separate matrix.runner so existing matrix.os-based artifact naming/conditionals continue to work. Adds .github/actionlint.yaml runner-label configuration so actionlint recognizes the new self-hosted labels.

^{Reviewed by Cursor Bugbot for commit 6646c8c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Migrates Linux and macOS CI, docs, release, and publish jobs to Namespace runner profiles (namespace-profile-endev-linux-amd64 / namespace-profile-endev-macos-arm64), replaces Swatinem/rust-cache with namespacelabs/nscloud-cache-action on those jobs, and adds .github/actionlint.yaml to suppress label warnings. Windows, BATS, and jail-sensitive jobs are intentionally kept on GitHub-hosted runners with clear justification comments.

The migration is mechanically consistent: nscloud-cache-action is placed before mise-action in every affected job, the windows job correctly retains Swatinem/rust-cache, and release.yml correctly gates the cache action with if: matrix.runner != 'windows-latest'. The copr-publish Fedora-container job correctly omits the cache action since Rust is installed inside the container via dnf.

Confidence Score: 5/5

Safe to merge; no new issues found beyond those already raised in prior review threads.

All namespace-runner jobs use the correct nscloud-cache-action-before-mise-action ordering, Windows jobs retain their original cache setup, and the matrix.os/matrix.runner split correctly preserves artifact naming and OS conditionals throughout. The two open concerns (bench registry cache and release-plz-pr step ordering) were flagged in previous review threads and are not new findings here.

No files require special attention beyond the previously flagged threads on release-plz.yml and bench-refresh.yml.

Important Files Changed

Filename	Overview
.github/actionlint.yaml	New file registering three Namespace runner labels for actionlint; includes linux-arm64 label not yet used by any workflow (forward-compatible).
.github/workflows/ci.yml	build/test-linux/final migrated to namespace runners with correct nscloud-cache-action-before-mise-action order; bats/bats-serial/windows kept on GitHub-hosted runners with justified comments; matrix.os preserved for artifact naming.
.github/workflows/release.yml	runner field added to matrix; nscloud-cache-action correctly guarded by if: matrix.runner != 'windows-latest' so Windows targets continue using existing cache paths.
.github/workflows/release-plz.yml	Most jobs migrated cleanly; nscloud-cache-action ordering in release-plz-pr was flagged in a previous review thread.
.github/workflows/bench-refresh.yml	Namespace runner migration and cache replacement look correct; hermetic bench registry cache concern flagged in a prior review thread; check job now uses cargo metadata without an explicit Rust install step (Rust must be in the runner profile).
.github/workflows/autofix.yml	Runner and cache action swapped correctly; nscloud-cache-action placed before mise-action.
.github/workflows/docs.yml	build and deploy jobs migrated to namespace runner; cache action order is correct.
.github/workflows/copr-publish.yml	Runner migrated; no nscloud-cache-action added (correct — Rust is installed via dnf inside the Fedora container, not through the runner's cache volume).
.github/workflows/publish-npm.yml	Runner migrated; no Rust cache needed since this is a publish-only job.
.github/workflows/publish-homebrew.yml	Runner migrated; no Rust cache needed for formula publishing.
.github/workflows/ppa-publish.yml	Runner migrated; no Rust cache step required.
.github/workflows/semantic-pr-lint.yml	Runner migrated to namespace runner; lightweight PR-title lint job.

_{Reviews (3): Last reviewed commit: "ci: migrate workflows to namespace runne..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1e575a6. Configure here.}