revert(ci): switch back to namespace runners

[jdx]

Summary

• reverts chore(ci): switch to github-hosted runners #814 so CI/release jobs run on the previous Namespace runner profiles again
• restores the native ARM64 Linux PGO+BOLT release job to namespace-profile-endev-linux-arm64-large
• restores the Namespace actionlint config/logo/cache-tag wiring removed by the runner migration

Validation

• actionlint
• git diff --check HEAD^ HEAD

---

Note

Medium Risk
Touches release PGO/BOLT matrices and all primary CI paths; misconfigured runner labels or cache tags could break builds or slow releases, but application/runtime code is unchanged.

Overview
This PR reverts the GitHub-hosted runner migration and moves most CI, bench, docs, release, and packaging workflows back onto Namespace profiles (namespace-profile-endev-linux-amd64, macOS arm64, and -large variants for heavy PGO/bench work).

Runner and cache wiring: Jobs that previously used ubuntu-latest / macos-latest for build, test, benches, docs, COPR, Homebrew, and release-plz now target Namespace labels again. BATS shards stay on GitHub-hosted Linux/macOS so jail/sandbox tests still match real OS behavior. Windows build/test remains on windows-latest with Swatinem/rust-cache.

Rust caching: Swatinem/rust-cache is replaced by namespacelabs/nscloud-cache-action (cache: rust) on Namespace Linux/macOS jobs, with shared cache tags (aube-rust-linux / aube-rust-linux-arm64) via profile ;overrides.cache-tag=... so regular CI and -large bench/PGO jobs reuse the same target dirs where arch allows. release-plz-pr drops rust caching entirely in this diff.

Release/PGO: Native aarch64 Linux GNU PGO+BOLT runs on namespace-profile-endev-linux-arm64-large again; amd64 PGO uses -large Namespace runners. Comments in release.yml and benchmarks/pgo.bash document why BOLT uses instrumentation (Namespace perf_event_paranoid, no sysctl) instead of perf/LBR.

Repo hygiene: Adds .github/actionlint.yaml for allowed self-hosted labels, assets/namespace-logo.svg, and a README CI credit section for Namespace.

^{Reviewed by Cursor Bugbot for commit 3af950d. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores

  • Updated CI infrastructure to use optimized runner configurations with improved caching mechanisms for faster builds and tests across multiple workflows.

• Documentation

  • Added CI infrastructure acknowledgment section to the README.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates the aube CI infrastructure from GitHub-hosted runners to Namespace-hosted custom runners. All workflows switch to namespace-profile-endev-* runner labels, Rust caching is unified via namespacelabs/nscloud-cache-action, and actionlint is configured to enforce the new runner allowlist. Documentation is updated to explain the new configuration and Namespace runner constraints.

Changes

Namespace CI Runner Migration

Layer / File(s)	Summary
Actionlint self-hosted runner allowlist .github/actionlint.yaml	Defines approved Namespace runner labels (Linux amd64/arm64 and macOS arm64, with large variants) and documents inline cache-tag override behavior for shared caches.
Workflow runner selection and caching system update .github/workflows/bench-pr.yml, .github/workflows/bench-refresh.yml, .github/workflows/ci.yml, .github/workflows/copr-publish.yml, .github/workflows/docs.yml, .github/workflows/publish-homebrew.yml, .github/workflows/release-plz.yml, .github/workflows/release.yml	All workflows migrate from ubuntu-latest/macos-latest to namespace-profile-endev-* runners. Replaces Swatinem/rust-cache with namespacelabs/nscloud-cache-action for Rust caching across all jobs. Adds inline overrides.cache-tag values (e.g., aube-rust-linux, aube-rust-linux-arm64) for selective cache sharing. Updates PGO build matrix to use -large runner variants for x86_64 and aarch64 Linux targets.
Documentation and comments explaining namespace runners README.md, .github/workflows/release.yml, benchmarks/pgo.bash	Adds README section crediting Namespace for CI. Updates PGO job comments to explain new runner sizing for training/compilation headroom. Clarifies macOS arm64 cross-compile behavior under Rosetta on macos-latest-large. Updates BOLT instrumentation phase comment to document that Namespace runners enforce kernel.perf_event_paranoid=2 and do not honor workflow-step sudo sysctl commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 From GitHub's cloud to Namespace's care,
Our runners multiply, cached and fair,
nscloud whispers where Swatinem once gleamed,
CI workflows now stream as we'd dreamed. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: reverting to Namespace runners after a previous switch to GitHub-hosted runners (PR #814).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert/github-hosted-runners

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR reverts #814 by switching all CI and release jobs back to Namespace runner profiles, restoring nscloud-cache-action for Rust caching on the appropriate jobs, re-adding the actionlint.yaml runner label allow-list, and restoring the Namespace logo/attribution.

• All workflow files switch from ubuntu-latest / macos-latest GitHub-hosted runners back to their corresponding namespace-profile-endev-* profiles, with overrides.cache-tag wiring for shared Rust cache volumes; the aarch64-apple-darwin PGO job intentionally stays on GH-hosted macos-latest due to confirmed Namespace macOS image segfaults.
• Swatinem/rust-cache is replaced by namespacelabs/nscloud-cache-action on jobs that benefit from it; release PGO and musl cross-compile jobs drop the explicit cache step (matching pre-chore(ci): switch to github-hosted runners #814 behavior).
• benchmarks/pgo.bash comment updated to note that Namespace runners set perf_event_paranoid=2 and reject sysctl changes, explaining why BOLT uses instrumentation mode rather than the perf-record LBR flow.

Confidence Score: 4/5

Safe to merge; all changes are runner/cache wiring and documentation with no production logic affected.

The revert is straightforward and runner label changes are consistent across all workflows. One updated comment in release.yml mis-describes the macOS runner in use, and the new SVG asset is missing a trailing newline flagged by the PR's own git diff --check validation step. Neither affects CI correctness.

release.yml — the rustup step comment describes macos-latest-large (Rosetta) but the runner is macos-latest (native ARM64). assets/namespace-logo.svg — missing trailing newline.

Important Files Changed

Filename	Overview
.github/actionlint.yaml	New file enumerating all valid Namespace runner labels for actionlint validation, including cache-tag overrides. Correct and complete.
.github/workflows/ci.yml	Switches build/test jobs to Namespace runners and replaces Swatinem/rust-cache with nscloud-cache-action. BATS shards intentionally keep GitHub-hosted runners for sandbox-behavior tests.
.github/workflows/release.yml	Linux PGO+BOLT jobs switched to Namespace large runners; aarch64-apple-darwin remains on macos-latest. Updated rustup step comment describes macos-latest-large (Rosetta) behavior but runner in use is native ARM64 macos-latest.
.github/workflows/release-plz.yml	release-plz-release and release-plz-pr switched to Namespace runners; rust-cache removed from release-plz-pr consistent with pre-#814 behavior.
.github/workflows/bench-pr.yml	Runner switched to Namespace with cache-tag, nscloud-cache-action replaces rust-cache. Clean change.
.github/workflows/bench-refresh.yml	Both jobs switched to Namespace runners with nscloud-cache-action replacing rust-cache. Clean change.
.github/workflows/docs.yml	Build and deploy jobs switched to Namespace runners; nscloud-cache-action added for the build job. Clean change.
.github/workflows/copr-publish.yml	Runner switched to namespace-profile-endev-linux-amd64; no cache action needed since this job runs in a Fedora container.
.github/workflows/publish-homebrew.yml	Runner switched to Namespace; no Rust cache needed for this packaging job. Clean change.
README.md	Adds Namespace CI attribution block with logo and link above the Star History section.
assets/namespace-logo.svg	New Namespace logo SVG. Missing trailing newline at end of file.
benchmarks/pgo.bash	Comment updated to explain Namespace runners set perf_event_paranoid=2 and don't allow sysctl changes, clarifying why BOLT uses instrumentation mode.

_{Reviews (1): Last reviewed commit: "revert(ci): switch back to namespace run..." | Re-trigger Greptile}

[greptile-apps]

The updated comment describes macos-latest-large (x86_64/Rosetta) behavior, but the actual runner for this matrix row is macos-latest, which is GitHub's native Apple Silicon runner. On macos-latest, aarch64-apple-darwin is already the native target — not a cross-compile — so the Rosetta/std-lib explanation doesn't apply. The previous comment was accurate for the runner in use.

Suggested change

	# GH macos-latest-large defaults to an x86_64-apple-darwin
	# host rustc (Rosetta) — `--target=aarch64-apple-darwin`
	# from pgo.bash then triggers a cross-compile that needs the
	# arm64 std lib explicitly installed. Idempotent on namespace
	# runners where the target is already present.
	# GitHub-hosted macos-latest is Apple Silicon, so
	# aarch64-apple-darwin is the native target. rustup target add
	# is idempotent and ensures the component is present even if a
	# prior toolchain upgrade dropped it.

[greptile-apps]

The file is missing a trailing newline, which is flagged by git diff --check — one of the two validation methods listed in the PR description.

Suggested change

	<path d="M120.148 122.806V110.969H80.4884V122.806H120.148Z" fill="white"></path>
	</svg>
	<path d="M120.148 122.806V110.969H80.4884V122.806H120.148Z" fill="white"></path>
	</svg>

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

36-52: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Lock Linux pull_request cache writes like Windows to prevent Rust cache poisoning

• build and test-linux run on namespace-profile-endev-linux-amd64;overrides.cache-tag=aube-rust-linux and use namespacelabs/nscloud-cache-action@... with cache: rust on pull_request, but they do not set nscloud-cache-exp-do-not-commit (or any other read-only mode). Namespace requires this label to be explicitly configured; without it, the job can write through to the mounted/shared cache volume.
• Your windows job already prevents this by gating cache writes with save-if: ${{ github.ref == 'refs/heads/main' }}—the Linux path should get the same protection (e.g., add nscloud-cache-exp-do-not-commit to runs-on for PRs/untrusted branches, or scope PR runs to a separate overrides.cache-tag).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 36 - 52, The Linux PR runs using the
namespacelabs/nscloud-cache-action with cache: rust can write to the shared
cache (cache poisoning) because it lacks the nscloud-cache-exp-do-not-commit
label or a conditional save like the Windows job's save-if; update the Linux
jobs (e.g., the matrix entry that uses runner
"namespace-profile-endev-linux-amd64;overrides.cache-tag=aube-rust-linux" and
the jobs named build/test-linux that call namespacelabs/nscloud-cache-action) to
prevent writes on pull_request by either adding nscloud-cache-exp-do-not-commit
to runs-on for PR/untrusted branches or by gating cache writes with a
conditional (mirror the Windows approach, e.g., use save-if: ${{ github.ref ==
'refs/heads/main' }} or equivalent) so PR runs become read-only and cannot write
to the mounted/shared cache.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 267-275: The README contains a duplicate "## CI" heading; change
the second "## CI" (the block showing Namespace logo and thank-you) to a
distinct heading such as "## CI Infrastructure" or move that block under an
existing "## Acknowledgments" or "## Contributors" section so anchors aren't
duplicated; update the heading text for that block (the second "## CI") and any
links/anchors that reference it to the new name to resolve the MD024
duplicate-heading lint error.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 36-52: The Linux PR runs using the
namespacelabs/nscloud-cache-action with cache: rust can write to the shared
cache (cache poisoning) because it lacks the nscloud-cache-exp-do-not-commit
label or a conditional save like the Windows job's save-if; update the Linux
jobs (e.g., the matrix entry that uses runner
"namespace-profile-endev-linux-amd64;overrides.cache-tag=aube-rust-linux" and
the jobs named build/test-linux that call namespacelabs/nscloud-cache-action) to
prevent writes on pull_request by either adding nscloud-cache-exp-do-not-commit
to runs-on for PR/untrusted branches or by gating cache writes with a
conditional (mirror the Windows approach, e.g., use save-if: ${{ github.ref ==
'refs/heads/main' }} or equivalent) so PR runs become read-only and cannot write
to the mounted/shared cache.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a1715794-7adc-464d-a15d-70bd74ccf4c8

📥 Commits

Reviewing files that changed from the base of the PR and between 55f4ca0 and 3af950d.

⛔ Files ignored due to path filters (1)

• assets/namespace-logo.svg is excluded by !**/*.svg

📒 Files selected for processing (11)

• .github/actionlint.yaml
• .github/workflows/bench-pr.yml
• .github/workflows/bench-refresh.yml
• .github/workflows/ci.yml
• .github/workflows/copr-publish.yml
• .github/workflows/docs.yml
• .github/workflows/publish-homebrew.yml
• .github/workflows/release-plz.yml
• .github/workflows/release.yml
• README.md
• benchmarks/pgo.bash

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Duplicate heading: Two "## CI" sections in the same document.

The README already has a "## CI" section at line 163 that documents the aube ci command. This new section at line 267 introduces a second "## CI" heading for acknowledging Namespace's CI infrastructure support.

Duplicate headings create ambiguous anchor links and confuse readers. Consider renaming this section to distinguish it from the existing one.

📝 Suggested alternatives

Option 1: Rename to a more specific heading:

-## CI
+## CI Infrastructure

Option 2: Move this content into an "Acknowledgments" or "Thanks" section alongside the existing "Contributors" section at line 287.

Option 3: Use a subsection under a broader "Community" or "Support" heading.

As per coding guidelines, markdownlint-cli2 flags this as MD024 (no-duplicate-heading).

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 267-267: Multiple headings with the same content

(MD024, no-duplicate-heading)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 267 - 275, The README contains a duplicate "## CI"
heading; change the second "## CI" (the block showing Namespace logo and
thank-you) to a distinct heading such as "## CI Infrastructure" or move that
block under an existing "## Acknowledgments" or "## Contributors" section so
anchors aren't duplicated; update the heading text for that block (the second
"## CI") and any links/anchors that reference it to the new name to resolve the
MD024 duplicate-heading lint error.