chore(ci): use namespace runners for ci jobs#9561
Merged
Conversation
Contributor
Greptile SummaryThis PR migrates most GitHub Actions workflows from Confidence Score: 5/5Safe to merge; all findings are P2 suggestions about test coverage, no runtime or security defects introduced. Only P2 findings present (sandbox test coverage reduction). The Landlock logic change is correct and consistent with the updated docs. CI infrastructure changes are well-structured with proper cache tag separation. src/sandbox/landlock.rs — behavior change (hard-fail on NotEnforced) now has no dedicated e2e test in CI. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[apply_landlock called] --> B{deny_read or deny_write?}
B -- neither --> C[return Ok early]
B -- yes --> D[Build Ruleset with BestEffort compat]
D --> E{deny_read + deny_write?}
E -- both --> F[add system read rules + /tmp+/dev full + installs + allow_read + allow_write]
E -- read only --> G[add system read rules + allow_read + allow_write as read]
E -- write only --> H[allow read everywhere + /tmp+/dev full + allow_write paths]
F & G & H --> I[ruleset.restrict_self]
I --> J{status check}
J -- NotEnforced OR !no_new_privs --> K[bail! error]
J -- FullyEnforced OR PartiallyEnforced --> L[return Ok]
Reviews (19): Last reviewed commit: "Merge branch 'main' into codex/namespace..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request adds a new macOS ARM64 runner label to the actionlint configuration and includes a Namespace logo and acknowledgement in the README. Feedback highlights that the new runner label is not yet utilized in the workflow files and suggests improvements to the README's HTML structure and the SVG's scaling properties.
| # Labels of self-hosted runner in array of strings. | ||
| labels: | ||
| - macos-14 | ||
| - namespace-profile-endev-macos-arm64 |
Contributor
There was a problem hiding this comment.
The PR description indicates that macOS jobs should now run on the namespace-profile-endev-macos-arm64 runner and use a specific cache volume. However, the necessary updates to the workflow files (.github/workflows/test.yml and .github/workflows/release.yml) are not included in this pull request. This label will not be utilized until those workflows are updated.
Comment on lines
+205
to
+211
| <p> | ||
| <a href="https://namespace.so"> | ||
| <img src="docs/public/namespace-logo.svg" alt="Namespace" width="64"> | ||
| </a> | ||
| </p> | ||
|
|
||
| Thanks to [Namespace](https://namespace.so) for providing CI services for mise. |
Contributor
There was a problem hiding this comment.
The Namespace acknowledgement is currently split into separate blocks with excessive vertical spacing. Grouping the logo and text within a single paragraph improves cohesion. Additionally, adding a height attribute to the img tag helps prevent layout shifts.
Suggested change
| <p> | |
| <a href="https://namespace.so"> | |
| <img src="docs/public/namespace-logo.svg" alt="Namespace" width="64"> | |
| </a> | |
| </p> | |
| Thanks to [Namespace](https://namespace.so) for providing CI services for mise. | |
| <p> | |
| <a href="https://namespace.so"> | |
| <img src="docs/public/namespace-logo.svg" alt="Namespace" width="64" height="64"> | |
| </a> | |
| <br> | |
| Thanks to <a href="https://namespace.so">Namespace</a> for providing CI services for mise. | |
| </p> |
| @@ -0,0 +1,5 @@ | |||
| <svg width="160" height="160" xmlns="http://www.w3.org/2000/svg"> | |||
Contributor
There was a problem hiding this comment.
The SVG is missing a viewBox attribute. Adding viewBox="0 0 160 160" ensures the logo scales correctly when its dimensions are specified in HTML or CSS, maintaining the intended aspect ratio and clarity.
<svg width="160" height="160" viewBox="0 0 160 160" xmlns="http://www.w3.org/2000/svg">
jdx
force-pushed
the
codex/namespace-macos-ci
branch
from
74d6efe to
a4887d1
Compare
jdx
changed the title
jdx
force-pushed
the
codex/namespace-macos-ci
branch
4 times, most recently
from
42984fb to
fe71151
Compare
jdx
changed the title
jdx
force-pushed
the
codex/namespace-macos-ci
branch
from
fe71151 to
17620eb
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.28 x -- echo |
18.0 ± 0.7 | 16.4 | 21.3 | 1.00 |
mise x -- echo |
18.3 ± 1.1 | 16.6 | 34.5 | 1.02 ± 0.07 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.28 env |
18.0 ± 0.9 | 16.1 | 25.6 | 1.00 |
mise env |
18.1 ± 0.8 | 16.5 | 22.0 | 1.01 ± 0.07 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.28 hook-env |
18.6 ± 0.8 | 16.8 | 22.4 | 1.00 |
mise hook-env |
18.9 ± 0.8 | 17.3 | 22.5 | 1.02 ± 0.06 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.28 ls |
15.4 ± 0.8 | 13.8 | 18.7 | 1.00 |
mise ls |
15.7 ± 0.8 | 14.0 | 20.7 | 1.02 ± 0.07 |
xtasks/test/perf
| Command | mise-2026.4.28 | mise | Variance |
|---|---|---|---|
| install (cached) | 120ms | 123ms | -2% |
| ls (cached) | 57ms | 59ms | -3% |
| bin-paths (cached) | 62ms | 63ms | -1% |
| task-ls (cached) | 530ms | 529ms | +0% |
jdx
force-pushed
the
codex/namespace-macos-ci
branch
from
17620eb to
14343a1
Compare
jdx
force-pushed
the
codex/namespace-macos-ci
branch
8 times, most recently
from
2354a9a to
d2c6c61
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d2c6c61. Configure here.
jdx
force-pushed
the
codex/namespace-macos-ci
branch
from
d2c6c61 to
c3b2772
Compare
jdx
force-pushed
the
codex/namespace-macos-ci
branch
from
c3b2772 to
2a7d513
Compare
mise-en-dev
added a commit
that referenced
this pull request
May 3, 2026
### 🚀 Features - **(conda)** graduate conda backend out of experimental by @jdx in [#9544](#9544) - **(deps)** Add dart and flutter providers by @tjarvstrand in [#9505](#9505) - **(registry)** add neo4j by @mnm364 in [#9525](#9525) - **(registry)** add rustfs by @mnm364 in [#9530](#9530) - **(task)** support exclusion patterns in task sources by @jlarmstrongiv in [#9496](#9496) - **(vfox)** add stat function to lua file module by @esteve in [#9497](#9497) ### 🐛 Bug Fixes - **(backend)** flag regex prerelease versions by @jdx in [#9500](#9500) - **(backend)** mark -nightly/-canary/-experimental as prereleases by @jdx in [#9523](#9523) - **(backend)** suppress no-versions warning for unresolved-latest backends by @jdx in [#9548](#9548) - **(backend)** include dotnet prereleases from package flags by @jdx in [#9551](#9551) - **(backend)** scope PEP 440 prerelease detection to Python backends by @jdx in [#9558](#9558) - **(cargo)** Apply install_env during cargo install by @c22 in [#9502](#9502) - **(copr)** drop epel-9 chroots since rust >= 1.91 is unavailable by @jdx in [#9484](#9484) - **(github)** skip attestations on non-default api_url by @jdx in [#9486](#9486) - **(github)** retry ip allow list errors without auth by @risu729 in [#9506](#9506) - **(http)** update versions host tracking endpoint by @jdx in [#9527](#9527) - **(install)** don't warn for configured tools when version is passed via CLI by @jdx in [#9522](#9522) - **(install)** refresh latest before installing missing tools by @jdx in [#9545](#9545) - **(install)** don't cache nonexistent install paths by @jdx in [#9553](#9553) - **(lockfile)** don't propagate ad-hoc CLI overrides into the project lockfile by @jdx in [#9562](#9562) - **(plugin)** detect plugin types after cloning by @risu729 in [#9540](#9540) - **(release)** pass --no-git-checks to aube publish by @jdx in [#9483](#9483) - **(task)** convert PATH to MSYS Unix form when spawning POSIX shells on Windows by @JamBalaya56562 in [#9547](#9547) ### 📚 Documentation - **(contributing)** require popularity check for registry PRs by @jdx in [7bbeebe](7bbeebe) - **(watch)** update pitchfork domain to en.dev by @risu729 in [#9536](#9536) - document ghtkn GitHub token setup by @jdx in [#9546](#9546) - clarify registry backend acceptance policy by @jdx in [#9543](#9543) - Change exec command to use bash for variable echo by @kuboon in [#9567](#9567) ### 🧪 Testing - **(e2e)** run test-tool targets in parallel by @jdx in [#9564](#9564) - **(e2e)** run tests in parallel by @jdx in [#9563](#9563) - **(e2e)** bind-mount /tmp on disk and surface failed tests in CI summary by @jdx in [#9570](#9570) - **(tasks)** migrate test_task_help atask to usage field by @jdx in [#9549](#9549) ### 📦️ Dependency Updates - update fedora:45 docker digest to 8b838b3 by @renovate[bot] in [#9507](#9507) - update ghcr.io/jdx/mise:deb docker digest to f02194c by @renovate[bot] in [#9509](#9509) - update taiki-e/install-action digest to 7769b73 by @renovate[bot] in [#9512](#9512) - update ghcr.io/jdx/mise:alpine docker digest to 581f8a8 by @renovate[bot] in [#9508](#9508) - update rust crate ctor to v0.10.1 by @renovate[bot] in [#9515](#9515) - update ghcr.io/jdx/mise:rpm docker digest to a5c9655 by @renovate[bot] in [#9510](#9510) - update rust docker digest to a9cfb75 by @renovate[bot] in [#9511](#9511) - update rust crate age to v0.11.3 by @renovate[bot] in [#9514](#9514) - update rust crate jiff to v0.2.24 by @renovate[bot] in [#9516](#9516) - update dependency vitepress-plugin-tabs to ^0.9.0 by @renovate[bot] in [#9518](#9518) - update autofix-ci/action action to v1.3.4 by @renovate[bot] in [#9513](#9513) - update rust crate usage-lib to v3.2.1 by @renovate[bot] in [#9517](#9517) - update apple-actions/import-codesign-certs action to v7 by @renovate[bot] in [#9519](#9519) - update taiki-e/install-action digest to 51cd0b8 by @renovate[bot] in [#9531](#9531) - exclude taiki-e/install-action from renovate by @jdx in [#9532](#9532) - update rust crate blake3 to v1.8.5 by @renovate[bot] in [#9533](#9533) ### 📦 Registry - enable shellcheck on windows by @zeitlinger in [#9487](#9487) - add google-java-format by @zeitlinger in [#9488](#9488) - add expert ([aqua:expert-lsp/expert](https://github.com/expert-lsp/expert)) by @AlternateRT in [#9498](#9498) - update entry for checkmake by @eread in [#9504](#9504) - add systemctl-tui ([aqua:rgwood/systemctl-tui](https://github.com/rgwood/systemctl-tui)) by @2xdevv in [#9521](#9521) - add codon by @3w36zj6 in [#9538](#9538) - add tool yr (backend:github:VirusTotal/yara-x) by @adam-moss in [#9542](#9542) - add tool betterleaks (backend:aqua/betterleaks/betterleaks) by @adam-moss in [#9541](#9541) - add `git-filter-repo` by @garysassano in [#9550](#9550) - add umoci ([aqua:opencontainers/umoci](https://github.com/opencontainers/umoci)) by @2xdevv in [#9555](#9555) - add aqua backend for elixir-ls by @AlternateRT in [#9557](#9557) - deny inline backend options by @risu729 in [#9565](#9565) ### Chore - **(ci)** fail registry tests without summary by @jdx in [#9559](#9559) - **(ci)** use !cancelled() instead of always() for test-ci aggregator by @jdx in [#9569](#9569) - **(ci)** use namespace runners for ci jobs by @jdx in [#9561](#9561) - **(config)** deprecate shorthands_file setting by @risu729 in [#9534](#9534) - **(docs)** remove shrill.en.dev analytics script by @jdx in [#9539](#9539) - **(release)** replace bc with awk in release-plz star formatting by @jdx in [d7f177f](d7f177f) - bump hk to 1.44.3 by @jdx in [#9493](#9493) - invert CLAUDE.md/AGENTS.md so AGENTS.md is canonical by @jdx in [#9560](#9560) - set dev profile debug to 1 by @jdx in [#9572](#9572) ### New Contributors - @kuboon made their first contribution in [#9567](#9567) - @AlternateRT made their first contribution in [#9557](#9557) - @2xdevv made their first contribution in [#9555](#9555) - @adam-moss made their first contribution in [#9541](#9541) - @jlarmstrongiv made their first contribution in [#9496](#9496) - @tjarvstrand made their first contribution in [#9505](#9505)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release-plzand Rust-heavy release builds to Namespace with separate cache tagsendevlarge Namespace profiles for Linux/macOS release tarballs and the hyperfine serious buildrelease-plzpaths~/.cache/sccachewhere sccache runs directly on the runnersccachewithSCCACHE_DIRand a 20G cap before the daemon starts, including macOS jobsCI fixes
bcarithmetic with integer shell parsing so boundary regressions such as1.11are still detectedsccachesetup from thecrossbuild pathsccache --show-statswithif: always()on sccache jobs so diagnostics are kept after failures/tmpand/rootNotes
mise-release-rust-linuxandmise-release-rust-macos.release-plzhas its own cache tag:mise-release-plz-rust-linux.cross, so it caches Cargo dependencies on the Namespace volume but does not configure runner-localsccache.GITHUB_TOKENused by tests; it does not expose the GitHub Actions token unless the job environment is changed to provide that token.Validation
actionlint .github/workflows/test.yml .github/workflows/autofix.yml .github/workflows/hyperfine.yml .github/workflows/registry.yml .github/workflows/test-vfox.yml .github/workflows/release-plz.yml .github/workflows/release.ymlshellcheck -x e2e/run_all_tests e2e/run_testgit diff --checkmise x npm:prettier -- prettier --check README.md .github/workflows/test.yml .github/workflows/autofix.yml .github/workflows/hyperfine.yml .github/workflows/registry.yml .github/workflows/test-vfox.yml .github/workflows/release-plz.yml .github/workflows/release.ymlcargo check --all-featurescargo buildE2E_WAIT_FOR_GH_RATE_LIMIT=0 MISE_E2E_DOCKER=1 ./e2e/run_test cli/test_aliasE2E_WAIT_FOR_GH_RATE_LIMIT=0 MISE_E2E_DOCKER=1 TEST_TRANCHE=0 TEST_TRANCHE_COUNT=8 ./e2e/run_all_testshkpre-commit checks during commitThis PR description was generated by an AI coding assistant.
Note
Medium Risk
Medium risk because it substantially changes CI execution environments (runner labels, caching, Docker flags) and tightens Linux Landlock enforcement, which could cause new CI failures or sandboxed commands to error on unsupported kernels.
Overview
CI now runs primarily on Namespace runner profiles (Linux/macOS) with separate cache tags for PR, nightly, release, and
release-plz, replacingubuntu-latestand mostSwatinem/rust-cacheusage.Adds
namespacelabs/nscloud-cache-actionplus runner-localsccachesetup across Rust-heavy workflows, and capturessccache --show-statseven on failure.Hardens containerized test execution: registry
test-tooland e2e Docker runs are switched to read-only containers with explicit writable tmp/home mounts, and the hyperfine workflow replacesbcmath with integer-safe parsing for variance checks.Sandboxing behavior is tightened on Linux by failing when Landlock restrictions are not enforced (and docs updated accordingly), and sandbox-specific e2e tests are removed. README now thanks Namespace and includes a new
namespace-logo.svgasset.Reviewed by Cursor Bugbot for commit 5fead29. Bugbot is set up for automated code reviews on this repo. Configure here.