chore(ci): switch to github-hosted runners

[jdx]

Summary

• switch active CI/release workflows from Namespace runner labels to GitHub-hosted runners
• replace Namespace cache steps with pinned Swatinem/rust-cache
• remove stale Namespace actionlint allowlist, README CI sponsor block, and unused logo asset

Validation

• actionlint
• git diff --check

This PR was generated by Codex.

---

Note

High Risk
Touches every CI, bench, docs, and release/PGO workflow; runner or cache misconfiguration could break builds, slow releases, or change shipped PGO/BOLT binaries.

Overview
CI and release workflows move off Namespace self-hosted runner labels onto GitHub-hosted runners (ubuntu-latest, macos-latest, ubuntu-24.04-arm for native aarch64 Linux PGO). namespacelabs/nscloud-cache-action is replaced everywhere Rust builds need caching with pinned Swatinem/rust-cache, using shared keys (linux, linux-arm64, windows, macOS) and save-if on main so PRs restore but do not write the shared cache.

Housekeeping drops the Namespace actionlint allowlist, the README CI / Namespace sponsor block, and the unused namespace logo asset. benchmarks/pgo.bash comments now cite GitHub runners for BOLT’s perf/LBR constraints instead of Namespace kernel settings.

^{Reviewed by Cursor Bugbot for commit 6b94faf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Linux CI lacks shared cache

Medium Severity

The build and test-linux jobs both use Swatinem/rust-cache without a shared-key, so each job gets a separate Actions cache entry. That breaks the shared Rust target/ cache those jobs had when both used the same Namespace cache tag, so test-linux often recompiles from scratch instead of reusing build output and can hit its 30-minute limit.

Additional Locations (1)

• .github/workflows/ci.yml#L78-L81

 

^{Reviewed by Cursor Bugbot for commit 100a168. Configure here.}

[jdx]

Fixed by giving the Ubuntu build and test-linux rust-cache steps a shared linux key while keeping macOS on its own key. Re-ran actionlint and git diff --check.

[greptile-apps]

Greptile Summary

This PR migrates all CI and release workflows from Namespace self-hosted runner labels to standard GitHub-hosted runners (ubuntu-latest, macos-latest, ubuntu-24.04-arm), replacing namespacelabs/nscloud-cache-action with pinned Swatinem/rust-cache steps gated by save-if: github.ref == 'refs/heads/main'. Accompanying cleanup removes the Namespace actionlint allowlist, README sponsor block, and logo asset.

• All Rust-compiling jobs received a Swatinem/rust-cache step with appropriate per-arch shared-key values and write-only-on-main save-if logic; the PGO matrix now uses ubuntu-24.04-arm for native ARM training instead of QEMU.
• The release-plz-pr job (previously flagged for missing cache) is now correctly fixed, but the sibling release-plz-release job — which also had overrides.cache-tag=aube-rust-linux and calls cargo publish on release day — was not given a cache step.

Confidence Score: 4/5

Safe to merge; the only gap is a missing Rust cache on the release-plz-release job, which slows release-day builds but does not break them.

The release-plz-release job previously shared the aube-rust-linux Namespace cache and calls cargo publish (which compiles the full workspace) on release day. It was migrated to ubuntu-latest without a Swatinem/rust-cache step, unlike every other Rust-compiling job in this PR — including the parallel release-plz-pr job that was explicitly fixed here. Release builds will cold-compile until this is addressed.

.github/workflows/release-plz.yml — the release-plz-release job is missing a rust-cache step that all other migrated Rust-compiling jobs received

Important Files Changed

Filename	Overview
.github/workflows/release-plz.yml	Migrates all jobs to ubuntu-latest; adds rust-cache to release-plz-pr (fixing the previously flagged omission), but release-plz-release — which also had overrides.cache-tag=aube-rust-linux — was not given a cache step
.github/workflows/release.yml	PGO matrix migrated to GH-hosted runners (ubuntu-24.04-arm for native ARM); rust-cache added to upload-assets-pgo and upload-assets-musl-arm64 with correct per-arch shared-keys; stale Namespace/Rosetta comment updated
.github/workflows/ci.yml	All jobs switched from Namespace labels to ubuntu-latest/macos-latest; nscloud-cache-action replaced with Swatinem/rust-cache using per-OS shared-keys and save-if=main; comment updated to remove Namespace reference
.github/workflows/bench-pr.yml	Runner and cache action replaced; save-if=main means bench-pr jobs only restore cache (never write), which is intentional for PR jobs
.github/workflows/bench-refresh.yml	Both check and refresh jobs migrated to ubuntu-latest with nscloud-cache-action replaced by Swatinem/rust-cache
.github/workflows/docs.yml	Build job migrated to ubuntu-latest with rust-cache added; Deploy job runner updated (no Rust compilation needed there)
.github/actionlint.yaml	Deleted; Namespace self-hosted runner label allowlist is no longer needed now that all jobs use standard GitHub-hosted labels
README.md	Namespace CI sponsor block removed
benchmarks/pgo.bash	Comment updated to reference GitHub-hosted runner perf/paranoid constraints instead of Namespace-specific behavior; no logic change

Comments Outside Diff (1)

1. .github/workflows/release-plz.yml, line 33-39 (link)

   The release-plz-release job previously relied on overrides.cache-tag=aube-rust-linux for implicit Rust caching on Namespace runners, but no Swatinem/rust-cache step was added when migrating to ubuntu-latest. The release-plz release action calls cargo publish which compiles every crate being published — without a cache, each release build cold-compiles the entire workspace. The release-plz-pr job (same original cache tag, fixed in this PR) is the direct parallel case.

   

_{Reviews (3): Last reviewed commit: "chore(ci): switch to github-hosted runne..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

There are 3 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ecb4d8f. Configure here.}

[cursor]

Bench cache not shared with CI

Medium Severity

The new Swatinem/rust-cache steps omit shared-key: linux even though CI’s build and test-linux jobs use that key and the removed Namespace profiles all pointed at the same aube-rust-linux volume. With save-if limiting writes to main, pull-request bench runs won’t restore CI’s warm target/ tree and always pay for a cold release build, which can exceed the pr-bench job’s 25-minute limit.

Additional Locations (2)

• .github/workflows/bench-refresh.yml#L85-L88
• .github/workflows/docs.yml#L34-L37

 

^{Reviewed by Cursor Bugbot for commit ecb4d8f. Configure here.}

[jdx]

Fixed by adding shared-key: linux to the bench-pr, bench-refresh, and docs rust-cache steps so they restore the same Linux cache family as CI. Re-ran actionlint and git diff --check.

[cursor]

Release jobs lack rust caching

Medium Severity

upload-assets-musl-arm64 and upload-assets-pgo switched from Namespace runner labels that mounted the shared aube-rust-linux / aube-rust-linux-arm64 cache volumes, but unlike CI, bench, and docs they never gained a Swatinem/rust-cache step. Release builds therefore always compile from scratch on GitHub-hosted runners, increasing the chance of timeouts or OOM during cross/PGO work.

Additional Locations (1)

• .github/workflows/release.yml#L358-L365

 

^{Reviewed by Cursor Bugbot for commit ecb4d8f. Configure here.}

[jdx]

Fixed by adding rust-cache steps to the release musl-arm64 and PGO jobs, using linux for amd64 Linux, linux-arm64 for native aarch64 Linux, and a separate macOS key. Also updated the stale macOS target comment. Re-ran actionlint and git diff --check.

[jdx]

Addressed the latest Greptile/Cursor feedback: added the missing release-plz-pr cache step, shared Linux cache keys for bench/docs jobs, release cache steps for musl-arm64 and PGO jobs, and refreshed the stale macOS target comment. Validation: actionlint, git diff --check.